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Honorable  A.  Paul  Cellucci,  Governor 

Honorable  Thomas  F.  Birmingham,  President  of  the  Senate 

Honorable  Thomas  M.  Finneran,  Speaker  of  the  House  of  Representatives 

Honorable  Stanley  C.  Rosenberg,  Chairman  of  the  Senate  Committee  on  Ways  and  Means 

Honorable  Paul  R.  Haley,  Chairman  of  the  House  Committee  on  Ways  and  Means 

Honorable  David  P.  Magnani,  Senate  Committee  on  Science  and  Technology 

Honorable  Lida  E.  Harkins,  House  Committee  on  Science  and  Technology 

Honorable  Members  of  the  General  Court 

I  am  presenting  this  report  on  a  follow-up  review  of  the  preparedness  of  the  Commonwealth  of 
Massachusetts  to  address  the  year  2000  computer  date  issue.  Our  phase  2  survey  was  undertaken  to  help 
assess  the  extent  to  which  state  agencies  and  authorities  of  the  Commonwealth  had  progressed  in  their  efforts 
to  assess  the  impact  of  year  2000  on  their  automated  systems  and  technology  and  to  take  steps  to  make 
mission-critical  and  essential  information  systems  year  2000  compliant. 

In  my  February  3,  1998  report,  I  had  concluded  that  the  Commonwealth,  overall,  was  not  adequately 
positioned  to  ensure  that  all  mission-critical  and  important  automated  systems  and  supporting  technology 
would  be  year  2000  compliant  in  time.  Based  upon  evidence  obtained  over  my  initial  report's  April  17,  1997 
to  October  21,  1997  audit  period,  less  than  half  of  state  entities  had  completed  their  year  2000  impact 
assessments,  and  far  fewer  had  developed  year  2000  project  plans.  The  purpose  of  my  phase  2  review,  which 
covers  the  period  of  October  22,  1997  to  October  20,  1998,  is  to  determine  whether  sufficient  progress  is  being 
made  by  state  entities  to  address  the  year  2000  problem. 

Most  individuals  in  the  public  and  private  sectors  have  now  recognized  the  risk  posed  by  the  year  2000 
date  problem  to  the  operational  viability  of  their  organizations.  Over  the  past  few  years,  the  year  2000  issue 
has  received  a  great  deal  of  attention.  The  initial  focus  on  large  application  systems  supported  by  mainframe 
platforms  may  have  helped  to  ensure  that  these  systems  will  be  compliant.  However,  for  many  operations,  the 
problem  goes  beyond  the  immediate  boundaries  of  the  core  systems  within  each  entity.  We  are  quickly 
learning  that  the  inter-dependencies  of  all  system  components,  beyond  the  individual  application  system,  need 
to  be  addressed  to  ensure  operational  viability.  Operating  systems,  system  software  packages,  communication 
networks,  external  systems,  and  a  host  of  peripherals  are  all  impacted  by  the  year  2000  problem.  In  addition, 
the  health  and  safety  of  our  employees  and  the  public,  as  well  as  the  ability  to  process,  are  dependent  upon  the 
proper  functioning  of  equipment  with  embedded  chips. 

Clearly,  the  upcoming  change  of  century  poses  a  serious  risk  to  virtually  all  business  and  operational 
functions  that  rely  on  computer  systems  and  technology.  Although  the  Commonwealth  has  made  progress  in 
addressing  the  problem,  much  remains  to  be  accomplished  to  avoid  disruption  of  certain  mission-critical  and 
essential  services  provided  by  state  entities.  With  that  in  mind,  I  would  like  to  share  with  you  the  results  of  my 
phase  2  survey  and  to  present  recommendations  to  assist  the  Commonwealth  in  addressing  this  significant 
issue. 
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The  year  2000  problem  stems  from  the  fact  that,  to  conserve  electronic  data  storage  space,  practically 
all  computer  systems  have  used  two  digits  to  represent  the  year.  A  problem  arises  when  dates  beyond  1 999 
are  used,  because  the  computer  system  cannot  distinguish  the  century.  It  cannot  tell  the  difference  between 
1900  and  2000,  because  both  centuries  would  be  represented  by  "00."  As  a  result,  if  not  modified,  computer 
systems  that  use  dates  or  perform  date  or  time-sensitive  calculations,  or  date  and  time  sequencing  may 
generate  incorrect  results  beyond  the  year  1999.  In  fact,  such  problems  have  already  occurred  because  dates 
affect  calculations  that  project  into  the  next  century. 

As  noted  in  my  prior  report,  the  dimensions  of  the  year  2000  problem  for  the  Commonwealth  are 
enormous.  Just  about  every  single  automated  system  and  its  related  technology,  regardless  of  size,  is 
impacted.  In  addition,  many  types  of  equipment  and  automatic  controlling  devices  contain  embedded 
technology  that  is  impacted  by  the  year  2000  date  problem.  Given  the  Commonwealth's  heavy  reliance  on 
computer  systems  and  equipment  with  embedded  technology,  their  failure  to  operate  properly  could  result  in 
anything  from  minor  inconveniences  to  major  disruptions  in  services.  Virtually  all  citizens  and  businesses  in 
the  Commonwealth  would  be  affected  should  state  systems  supporting  our  ability  to  collect  revenue,  pay  bills, 
provide  benefits,  support  infrastructure,  or  provide  health,  safety,  and  educational  services  be  adversely 
impacted  by  the  year  2000  problem. 

As  I  have  noted  before,  it  is  a  major  challenge  to  identify  which  systems  and  technology  will  be 
affected,  assess  the  impact  of  year  2000-related  dates  on  each  system  and  technology  configuration,  develop 
appropriate  remediation  or  replacement  strategies,  obtain  the  required  resources  and  expertise,  provide 
sufficient  testing,  and  redeploy  the  corrected  system  and  technology.  It  is  also  a  significant  challenge  to 
develop  workable  contingency  plans  to  ensure  that  mission-critical  and  essential  operations  and  services 
continue  to  be  provided. 

Ironically,  the  enormous  challenge  in  achieving  year  2000  compliance  and  maintaining  operational 
viability  is  not  technical,  but  managerial.  The  Commonwealth's  success  in  addressing  the  year  2000  issue  is 
largely  influenced  by  the  quality  of  the  executive  leadership  and  the  use  of  strong  project  management 
techniques.  It  is  imperative  that  senior  management  be  fully  aware  of  the  year  2000  problem  and  the  status  of 
corrective  efforts  and  set  compliance  and/or  operational  viability  objectives  as  priority  number  one. 

I  want  to  thank  the  many  state  officials  and  employees  who  responded  to  our  phase  2  survey  and 
provided  input  through  interviews  and  the  Information  Technology  Division  of  the  Executive  Office  for 
Administration  and  Finance  for  their  assistance. 

Should  you  have  questions  or  concerns  regarding  this  report,  we  would  be  pleased  to  provide  any 
additional  information  required.  I  look  forward  to  continuing  to  work  with  you  on  this  and  other  important 
issues  affecting  the  quality  of  services  provided  by  the  Commonwealth. 
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INTRODUCTION 

Background 

In  recent  years,  what  has  become  known  as  the  year  2000,  or  Y2K,  problem  has  received  a  great  deal  of 
attention.  In  the  not  so  distant  future,  if  not  already,  computer  systems  originally  programmed  to  process  dates 
using  two  digits  to  represent  the  year  will  either  make  gross  errors  in  calculations  or  will  not  function  when 
processing  year  2000-related  dates.  If  not  properly  modified,  these  computer  systems  will  be  unable  to  correctly 
process  date-related  information,  or  the  systems  may  fail  to  operate  at  all.  State  entities  and  private  sector 
organizations  have  already  experienced  problems  with  systems  being  unable  to  process  information  containing 
dates  beyond  December  31,  1999.  Due  to  the  tremendous  reliance  placed  on  automated  systems  to  support 
business  functions  in  government,  the  failure  to  process,  or  process  correctly,  could  have  a  devastating  impact  on 
those  doing  business  with  or  depending  on  the  services  of  the  Commonwealth. 

Dates  are  critical  to  the  integrity  of  computer  systems  and  the  information  they  provide.  Not  only  do 
computers  have  internal  clocks  that  are  an  integral  part  of  their  operating  systems  and  certain  system  software,  the 
vast  majority  of  information  processing  is  date-dependent.  Dates  are  used  to  identify  economic  events  and 
records  of  actions  taken  and  to  process  calculations  of  past  and  future  events. 

Ironically,  to  save  storage  space  and  data  entry  costs,  programmers  in  the  past  used  two  digits  to  designate 
years  occurring  in  the  1900s.  Most  computer  systems  represent  dates  in  the  format  MMDDYY,  where  123 198 
would  represent  December  31,  1998.  Here,  the  century  is  not  specifically  represented  in  the  date  format.  Rather, 
it  is  understood  that  a  date  such  as  12/3 1/98  is  in  the  twentieth  century.  In  order  for  a  date  to  define  a  year  beyond 
the  twentieth  century,  a  four-digit  code  for  the  year  would  be  necessary. 

Over  time,  application  systems  that  projected  dates  beyond  1999  confronted  the  impasse  of  the  two-digit 
code.  In  such  situations,  the  problem  was  solved  largely  by  modifying  the  application  software.  Except  for  this 
relatively  small  number  of  modified  systems,  the  vast  majority  of  computer  programs  currently  in  place  perform 
arithmetic  and  logic  operations  on  date  fields  using  only  two  digits  for  the  year.  As  long  as  the  dates  were  in  the 
same  century,  as  they  have  been,  the  program  would  work  as  intended.  However,  problems  have  arisen  when 
application  systems  have  been  required  to  use  or  to  calculate  with  dates  projecting  into  the  next  century.  For 
example,  a  computer  subtracting  10/30/98  from  10/30/08  to  determine  someone's  age  would  not  produce  the 
correct  answer  of  10;  it  would  produce  a  result  of  -90.  However,  because  date-related  calculations  are  not  signed 
(+/-),  the  person  would  appear  to  be  90  instead  of  his  or  her  real  age  of  10. 

The  magnitude  of  the  year  2000  problem  for  the  Commonwealth  is  enormous.  The  date  problem  exists  for 
all  processing  platforms,  including  mainframes,  minicomputers,  microcomputers,  local  area  networks  (LANs),  and 
telecommunications  systems  such  as  private  branch  exchanges  (PBXs).  Essentially,  the  two-digit  year  field  can 
be  found  in  computer  equipment,  firmware,  operating  systems,  software  compilers,  job  control  language,  queries, 
screens,  procedures,  calls  to  other  programs,  microcode,  databases,  application  systems,  and  data.  Some  computer 
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systems,  originally  designed  and  developed  1 5  to  20  years  ago,  may  not  be  adequately  documented;  may  use 
different  programming  languages;  and  may  operate  on  a  variety  of  hardware  platforms.  Within  the 
Commonwealth  there  are  thousands  of  computer  programs  with  millions  of  lines  of  code  to  be  examined  for  date 
problems.  Even  if  the  Commonwealth  were  to  completely  solve  the  year  2000  problem  for  its  own  systems,  data 
from  outside  sources  that  are  not  year  2000  compliant  could  contaminate  them.  Government  entities  or  business 
partners  could  either  supply  incorrect  data  based  on  erroneous  calculations  from  their  systems  that  have  not 
attained  compliance  or  data  using  a  different  date  format. 

The  process  of  bringing  automated  systems,  technology,  and  equipment  with  embedded  chips  into  year  2000 
compliance  is  complicated  by  the  strategic  alternatives  and  the  logistics  involved.  Given  that  an  entity  has 
identified  and  assessed  the  impact  of  year  2000  on  all  systems,  platforms,  associated  components,  and  equipment 
with  embedded  chips,  significant  effort  remains  to  finalize  the  project  plan,  obtain  resources,  execute  remediation, 
adequately  test,  and  develop  appropriate  contingency  plans  to  ensure  operational  viability. 

Although  the  marketplace  continues  to  make  available  an  increasing  set  of  improved  software  products  and 
consulting  services  to  address  the  year  2000  problem,  because  of  strong  competitive  forces  in  the  marketplace, 
shortages  in  resources  have  already  been  experienced. 

Estimated  costs  within  the  United  States  to  address  the  year  2000  problem  exceed  $75  billion.  Individual 
enterprises  are  expending  as  much  as  $100  million  to  address  the  problem.  Although  the  cost  to  be  incurred  by 
the  Commonwealth  has  been  estimated  at  $79  million,  based  on  our  phase  2  survey,  it  has  been  conservatively 
currently  estimated  at  approximately  $90  million. 

Once  the  year  2000  impact  has  been  assessed,  organizations  need  to  identify  the  systems  and  technology  to  be 
modified,  develop  a  strategy  for  making  the  necessary  changes,  obtain  the  required  resources,  initiate  remedial 
action,  perform  testing,  and  finally  implement  the  changes.  The  same  process  of  identification,  impact 
assessment,  planning,  remediation  or  replacement,  and  testing  is  required  for  equipment  with  date-sensitive 
embedded  technology. 

It  is  management's  responsibility  to  ensure  that  appropriate  internal  controls  are  in  place  to  provide 
reasonable  assurance  that  operational  and  control  objectives  are  met.  According  to  the  tenets  of  good  internal 
control,  as  outlined  in  Chapter  647  of  the  Acts  of  1989  and  other  generally-accepted  internal  control  practices,  a 
primary  fiduciary  responsibility  of  state  management  is  to  ensure  the  continued  integrity  of  business  operations 
and  that  the  entity's  assets  are  adequately  safeguarded.  Failure  to  sufficiently  address  the  Commonwealth's  year 
2000  problem  in  a  prudent  and  timely  manner  for  mission-critical  and  essential  systems  could  result  in  the  loss  of 
important  business  processing  or  corrupt  the  integrity  of  automated  systems.  Citizens  and  other  parties  who  are 
dependent  on  state  services  could  be  denied  needed  services,  including,  but  not  limited  to,  determination  of 
eligibility  to  provision  of  assistance  benefits,  public  safely  protection,  state-provided  higher  education,  and 
disruption  of  public  transportation  services. 

No  one  should  underestimate  the  seriousness  of  the  year  2000  problem.  We  are  heavily  reliant  on 
information  technology  to  capture,  process,  store,  and  provide  information.  Technology-based  systems  support 
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the  majority  of  services  provided.  Like  businesses  and  private  homes,  the  Commonwealth  is  also  dependent  on 
the  public  utilities  to  provide  power,  water  and  sewerage,  and  communications,  all  of  which  are  also  dependent 
upon  technology  that  is  subject  to  disruptions  by  the  year  2000  problem. 

Given  the  potential  risks  of  not  having  automated  systems  or  technology  operate  correctly,  or  at  all,  failure  to 
ensure  operational  viability  for  mission-critical  and  essential  processing  would  place  citizens  and  parties  doing 
business  with  the  Commonwealth  at  jeopardy.  While  there  is  a  variety  of  remediation  strategies,  from  work- 
arounds to  date  expansion,  there  is  but  one  bottom  line.  The  system  or  technology  must  function  properly  when 
encountering  year  2000-related  dates.  Failure  to  do  so  could  result  in  serious  miscalculations,  inability  to  process 
state  business,  operational  paralysis,  potentially  catastrophic  legal  implications,  and  public  dismay  or  anger. 

The  Office  of  the  State  Auditor's  Phase  2  Survey 

The  Office  of  the  State  Auditor  (OS  A)  initiated  a  second  statewide  survey  to  determine  whether  state  entities 
had  made  sufficient  progress  in  addressing  the  year  2000  problem  to  ensure  that  state  systems  and  technology 
would  continue  to  operate  as  intended  when  impacted  by  year  2000-related  dates.  We  reiterate  that  the  year  2000 
problem  is  a  significant  issue,  warranting  attention  of  senior  management,  chief  financial  officers,  chief 
information  officers,  technology  managers,  business-process  owners,  and  system  users.  The  intent  of  our  phase  2 
survey  is  to  provide  an  assessment  of  the  level  of  year  2000  preparedness  and  to  offer  recommendations  to  assist 
state  entities  in  addressing  the  issue. 

The  objective  of  our  survey  questionnaire  (see  Appendix  1,  page  46  for  a  subset  of  questions,  or  website 
(www.magnet.state.ma.us/sao/survev2.doc)  for  a  complete  survey)  and  selected  interviews  was  to  obtain  sufficient 
information  to  draw  a  conclusion  on  the  level  of  the  state's  year  2000  preparedness. 

The  purpose  of  this  report  is  to  present  our  phase  2  survey  results  and  to  encourage  public  officials,  state 
administrators  from  all  branches  of  government,  and  other  affected  parties  to  take  the  steps  necessary  to  ensure 
operational  viability  for  mission-critical  and  essential  functions  and  services  when  impacted  by  the  change  in 
century. 


Massachusetts  Office  of  the  State  Auditor 


99-7055-4Y 


Massachusetts  Office  of  the  State  Auditor 


99-7055-4Y 


-5  - 


SURVEY  SCOPE,  OBJECTIVES,  AND  METHODOLOGY 

Survey  Scope 

The  scope  of  our  phase  2  survey  was  to  review  progress  by  state  entities  regarding  their  steps  planned  or  taken 
to  address  the  year  2000  problem  with  regard  to  their  information  technology,  automated  systems,  and  equipment 
with  date-sensitive  embedded  chips.  In  addition,  we  reviewed  the  role  and  responsibilities  of  ITD's  Y2K  Program 
Management  Office  (PMO)  with  respect  to  addressing  the  year  2000  computer  date  problem.  Included  in  the 
survey  and  on-site  interviews  were  entities  from  the  executive  branch,  judiciary,  legislative  branch,  constitutional 
offices,  and  independent  authorities.  We  also  reviewed  reports  regarding  electric  power  utilities  related  to  year 
2000  readiness. 

Survey  Objectives 

The  objective  of  the  phase  2  survey  is  to  determine  the  extent  to  which  state  entities  have  progressed 
regarding  completing  the  phases  of  assessment,  planning,  and  remedial  action  efforts  to  address  the  year  2000 
problem.  As  such,  the  phase  2  survey  was  conducted  to  determine  whether  steps  were  being  taken  to  ensure  that 
mission-critical  and  essential  information  systems  and  information  technology  would  attain  year  2000  compliance 
and/or  that  mission-critical  and  essential  services  would  maintain  operational  viability.  As  with  our  initial  survey, 
an  additional  objective  of  the  phase  2  survey  was  to  have  it  serve  as  an  instrument  to  increase  the  level  of 
awareness  of  the  year  2000  issue.  The  objective  of  reviewing  reports  was  to  determine  whether  the 
Commonwealth's  electric  power  supply  would  function  normally  when  impacted  by  year  2000  dates. 

Survey  Methodology 

To  determine  the  extent  to  which  state  entities  had  progressed  in  addressing  the  year  2000  problem,  we  used  a 
survey  questionnaire  and  on-site  interviews  to  solicit  information  regarding  the  status  of  effort.  We  used  reports 
from  the  ITD's  PMO  pertaining  to  the  status  of  effort  and  degree  of  preparedness  for  four-digit-year  processing  for 
computer  operations  prior  to  and  subsequent  to  the  year  2000. 

The  survey  questionnaire  used  in  phase  2  focused  more  heavily  on  project  status.  The  eight-page  survey  was 
mailed  to  chief  executive  officers  of  state  departments,  agencies,  and  authorities.  Not  all  entities  within  the 
judiciary  received  a  survey  questionnaire,  as  the  Administrative  Office  of  the  Trial  Court  requested  that  we  address 
the  questionnaire  through  them  to  permit  a  combined  response.  Following  the  initial  response  deadline,  telephone 
calls  and  e-mail  messages  were  used  to  encourage  entities  that  had  not  yet  responded  to  do  so.  We  conducted  on- 
site  interviews  with  key  administrators  from  a  sample  of  state  entities  to  obtain  more  in-depth  information 
regarding  their  efforts  to  address  the  year  2000  problem.  We  conducted  interviews  at  the  following  state 
agencies:  Department  of  Public  Health,  Department  of  Public  Safety,  Department  of  Revenue,  Department  of 
Telecommunications  and  Energy,  Department  of  Transitional  Assistance,  Division  of  Employment  and  Training, 
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Office  of  the  State  Comptroller,  Massachusetts  Emergency  Management  Agency,  Massachusetts  Highway 
Department,  and  the  Massachusetts  State  Police.  We  conducted  site  interviews  at  the  following  authorities: 
Massachusetts  Bay  Transportation  Authority,  Massachusetts  Water  Resources  Authority,  and  the  Massport 
Authority,  and  met  with  the  Administrative  Office  of  the  Trial  Court.  In  addition,  we  interviewed  the 
management  of  the  Commonwealth's  Information  Technology  Division  (ITD)  within  the  Executive  Office  for 
Administration  and  Finance,  which  had  taken  a  leadership  role  regarding  year  2000  for  executive  branch  agencies. 
Based  upon  the  survey  evidence  obtained,  and  on-site  interviews,  certain  conclusions  could  be  drawn  regarding  the 
process,  the  general  progress  of  impact  assessment  and  remediation  efforts,  adequacy  of  documentation,  and  the 
likelihood  of  attaining  year  2000  compliance  for  important  systems  and  technology. 

The  responses  to  our  phase  2  survey  were  entered  into  a  database  and  summarized.  We  reviewed  minutes 
from  the  Y2K  User  Group  meetings  and  status  reports  prepared  by  ITD's  PMO.  Although  the  report  provides  a 
limited  number  of  specific  examples,  the  report  is  written  from  the  perspective  of  the  Commonwealth  as  a  whole, 
recognizing  that  the  extent  of  progress  may  vary  significantly  among  all  entities. 

We  also  reviewed  reports  published  by  the  North  American  Electric  Reliability  Council  and  the  survey  results 
of  the  DTE  regarding  providers  of  electricity  within  Massachusetts  and  their  year  2000-compliance  status. 
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EXECUTIVE  SUMMARY 

The  Commonwealth  of  Massachusetts  has  made  good  progress  over  the  past  year  in  its  year  2000  efforts. 
Our  survey  and  primarily  reports  from  the  PMO  indicate  that  the  majority  of  entities  tracked  by  the  PMO  have 
moved  forward  toward  ensuring  that  their  systems  will  operate  correctly  when  using  year  2000-related  dates. 
However,  because  a  portion  of  state  entities  have  not  demonstrated  in  their  survey  responses  sufficient  progress 
and  the  bulk  of  year  2000  testing,  including  obtaining  independent  assurances  through  independent  verification 
and  validation  (IV&V),  remains  to  be  performed,  it  continues  to  be  our  opinion  that  the  Commonwealth  cannot,  at 
this  time,  be  adequately  assured  that  all  mission-critical  and  essential  functions  and  services  will  be  operational 
after  being  impacted  by  year  2000-related  dates. 

Although  a  number  of  state  entities  have  moved  into  remediation  efforts  since  our  last  report,  a  significant 
amount  of  work  remains,  especially  in  testing,  performing  IV&V,  and  developing  contingency  plans.  The 
absolute  time  constraints,  competing  priorities,  absence  of  documented  project  and  test  plans,  and  resource 
constraints  continue  to  hinder  the  ability  of  some  entities  to  effectively  address  the  year  2000  problem.  In 
addition  to  the  risk  that  certain  year  2000  projects  will  not  be  successfully  completed,  there  is  little  evidence  that 
workable  contingency  plans  are  being  developed. 

We  acknowledge  that  an  increasing  number  of  state  entities  have  progressed  over  the  period  of  October  1 997 
to  October  1998  in  completing  IT  inventories,  impact  assessments,  and  taking  steps  to  make  automated  systems 
year  2000  compliant.  Because  of  the  enormity  of  the  projects  involved,  especially  in  the  areas  of  embedded 
technology,  significant  effort  remains  to  ensure  that  mission-critical  and  essential  functions  and  services  will  be 
operational  when  impacted  by  year  2000  dates.  The  Commonwealth,  to  some  degree,  is  at  the  critical  juncture 
between  completing  remediation  steps  and  initiating  testing.  Until  adequate  year  2000-related  testing  is 
completed,  sufficient  assurance  cannot  be  attained  as  to  the  degree  of  readiness  of  systems  and  technology.  Based 
upon  evidence  from  survey  responses  and  on-site  interviews,  we  remain  concerned  regarding  the  likelihood  that  a 
portion  of  the  state's  systems,  including  equipment  with  embedded  technology,  may  not  be  complaint  in  time  and 
that  adequate  contingency  plans  will  not  be  in  place. 

Comparing  the  October  1997  status  of  year  2000  efforts  made  by  state  entities  to  the  phase  2  survey  results  of 
one  year  later  indicates  that  a  significant  portion  of  entities  responding  have  initiated  some  level  of  remediation 
work.  A  review  of  the  PMO's  last  quarterly  report  and  statements  made  by  the  PMO  at  the  September  23,  1998 
hearing  of  the  Committees  on  Science  and  Technology  reflect  high  percents  of  entities  and  systems  moving  toward 
year  2000  compliance.  However,  a  cautionary  note  may  be  warranted.  The  unforgiving  nature  and  extent  of  the 
year  2000  problem  combined  with  the  potential  impact  of  non-compliance  and  a  general  absence  of  "hard"  details 
on  test  results  leaves  us  concerned,  and  somewhat  uneasy,  as  to  the  ability  of  some  state  entities  to  successfully 
address  the  year  2000  issue. 
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With  regard  to  year  2000  testing,  entities  are  facing  tight  time  frames,  potential  resource  constraints,  and 
difficulties  in  ensuring  the  adequacy  and  appropriateness  of  test  plans.  We  are  concerned  about  the  extent  to 
which  state  entities  will  be  able  to  gain  assurance  through  IV&V  of  the  correctness  of  remediation  due  to  resource 
availability,  timing,  and  management  understanding  of  how  best  to  use  IV&V. 

IT  systems  should  be  considered  at  risk  of  not  being  year  2000  compliant  until  adequate  assurance  has  been 
gained  through  future  date  testing  and,  when  appropriate,  IV&V  has  been  completed  on  the  overall  information 
systems,  their  supporting  technology  and  networks,  and  interfaces  with  other  systems.  Although  there  may  be 
systems  for  which  the  risk  of  non-compliance  is  low,  or  steadily  being  reduced,  there  are  a  number  of  systems  and 
technologies  for  which  the  likelihood  of  year  2000  failure  remains  high. 

Even  though  entities  could  attain  what  would  be  deemed  as  a  prudent  and  reasonable  level  of  testing  and 
independent  assurance,  there  is  a  residual  risk  that  the  system,  technology,  or  equipment  with  embedded  chips  will 
not  operate  correctly  when  encountering  year  2000-related  dates,  or  when  required  to  work  in  concert  with  other 
technology.  Since  "fail  safe"  testing  would  be  performed  on  only  the  most  critical  of  systems  or  technology, 
entities  would  rely  on  the  level  of  testing  performed.  Since  some  of  the  state  systems  and  technology  may  fail, 
hopefully  an  adequate  level  of  operations  or  service  provision  can  be  achieved  through  contingency  plans.  It  is 
imperative  that  senior  management  obtain  an  understanding  of  the  level  of  residual  risk  of  operational  failure  due 
to  inoperable  IT  components  and  determine  the  extent  to  which  contingency  plans  should  be  developed. 

Additional  effort  is  needed  to  fully  identify,  assess  the  impact,  and  develop  appropriate  remediation  plans  for 
equipment  with  embedded,  date-sensitive  technology.  While  not  every  entity  has  equipment  with  embedded 
technology  that  would  cause  a  material  adverse  impact  for  the  Commonwealth,  every  entity,  to  some  degree,  is 
impacted  by  embedded  systems.  Of  key  concern  is  the  use  of  embedded  technology  that  impacts  transportation, 
water  and  sewerage,  power,  traffic  control,  and  devices  used  to  support  hospital  and  emergency  services. 
Increased  effort  is  needed  to  complete  inventories  and  impact  assessments  for  embedded  technology  and  to 
develop  appropriate  risk  mitigation  plans. 

Although  the  Commonwealth,  in  general,  is  progressing  on  year  2000  projects,  we  are  concerned  that  certain 
state  entities  may  falter  in  the  remaining  fourteen  months.  It  is  possible,  that  because  of  extremely  tight  time 
frames,  the  enormity  of  the  project  itself,  resource  constraints,  or  a  lack  of  adequate  project  management,  some  of 
the  following  entities  may  experience  difficulties  in  fully  addressing  their  year  2000  objectives.  From  the 
perspective  of  embedded  technology,  we  are  concerned  that  the  MBTA  may  not  be  able  to  develop  viable 
contingency  plans  to  address  an  operational  failure  of  signal  switches.  Although  they  are  working  on  a 
contingency  plan,  the  current  draft  plan  permits  only  a  low  volume  of  operation,  thereby  significantly  reducing  the 
frequency  of  running  trains.  We  are  also  concerned  that  the  Department  of  Transitional  Assistance  (DTA)  may  be 
unable  to  meet  its  year  2000  deadlines  due  to  the  late  scheduling  of  testing  in  November  1999.  Since  their 
contingency  plans  have  yet  to  be  developed,  a  failure  of  DTA  systems  could  cause  significant  problems  in 
providing  needed  benefits  to  citizens  of  the  Commonwealth.  With  respect  to  the  judiciary,  we  received  a  limited 
number  of  survey  forms  indicating  that  there  was  no  year  2000  project  for  the  particular  court  responding. 
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Further,  the  Administrative  Office  of  the  Trial  Court  (AOTC),  which  requested  to  submit  a  combined  survey 
questionnaire  representing  all  their  courts,  failed  to  submit  a  survey  or  statement  of  their  year  2000  efforts. 
Although  the  AOTC  did  provide  some  limited  information  at  our  meetings,  we  are  concerned  that  the  AOTC's 
inability  to  provide  detailed  information  on  the  status  of  year  2000  efforts  may  be  indicative  that  critical  success 
factors  important  to  year  2000  projects  may  not  be  adequately  addressed. 

Interviews  with  the  Massachusetts  State  Police  revealed  that  they  had  not  inventoried  or  assessed  the  impact 
of  year  2000  on  embedded  technology,  nor  established  test  plans  for  IT  resources.  Our  primary  concern  regarding 
the  State  Police  is  focused  on  embedded  technology  for  communication  systems  that  permit  on-line  contact  from 
police  cruisers  to  databases  supporting  law  enforcement.  In  another  area,  although  the  Massachusetts  Highway 
Department  appears  to  have  its  year  2000  activities  well  controlled,  we  are  concerned  about  their  ability,  in 
conjunction  with  cities  and  towns,  to  adequately  address  the  potential  failure  of  embedded  technology  in  traffic 
control  lights.  And,  from  a  contingency  planning  perspective,  the  Massachusetts  Water  Resources  Authority, 
which  appears  to  be  well-positioned  to  meet  its  year  2000  objectives,  is  faced  with  a  possible  major  problem 
should  electrical  power  be  lost.  They  are  concerned  as  to  whether  an  increase  of  jet  fuel  supplies  to  run  their 
backup  generators  at  Deer  Island  will,  in  fact,  be  sufficient  should  electric  power  be  lost.  Because  of  the 
significant  adverse  impact  that  could  occur  should  they  be  inoperable  for  a  period  of  time,  their  contingency 
planning  efforts  regarding  increased  fuel  reserves  may  need  to  be  expanded. 

Our  interviews  with  the  Department  of  Revenue,  and  reviews  of  documentation  made  available,  demonstrate 
that  significant  progress  has  been  made  toward  remediating  their  systems.  Currently,  however,  they  do  not  appear 
to  have  adequate  funding  for  necessary  IV&V  or  the  development  of  adequate  contingency  plans.  Their  inability 
to  function  could  jeopardize  the  Commonwealth's  revenue  stream.  We  are  also  concerned  about  the  Department 
of  Public  Health's  ability  to  successfully  address  the  difficult  problems  posed  by  embedded  technology  in 
hospitals  and  labs.  Last,  by  default,  we  are  concerned  about  those  entities  that  did  not  provide  year  2000  status 
information.  While  some  may  not  be  significantly  impacted  by  the  year  2000  problem,  and  others  may  have  been 
included  within  a  "parent"  (i.e.,  oversight  agency)  response,  a  portion  of  state  entities  were  unable  to  demonstrate 
that  they  were  managing  the  problem.  In  addition  to  the  general  concerns  about  electrical  power, 
telecommunications,  and  other  public  utility-based  services,  responses  to  our  phase  2  survey  identified  competing 
priorities,  lack  of  experienced  personnel,  unresponsive  vendors,  and  resource  and  funding  constraints  as  barriers  to 
successfully  tackling  the  year  2000  problem. 

Regarding  the  availability  of  funding,  it  is  our  understanding  that  the  $20.4  million  appropriated  for  fiscal 
year  1999  has  already  been  assigned  and  that  agencies  will  need  to  draw  from  operating  appropriations  to  meet 
additional  funding  requirements,  or  to  obtain  additional  funds  from  outside  sources.  If  the  outside  sources  were 
federal  entities,  those  funds  might  be  in  jeopardy  given  fiscal  constraints  being  placed  at  the  federal  level.  Our 
phase  2  survey  disclosed  concerns  that  additional  funding  will  be  needed  to  support  testing  and  the  development  of 
contingency  plans. 
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For  most  entities,  the  year  2000  project  will  be  one  of  the  most  challenging  and  important  IT  projects 
undertaken,  requiring  detailed  planning  and  strong  project  management  disciplines.  From  the  outset  and 
throughout  the  process,  administrators  will  need  to  carefully  manage  and  monitor  their  year  2000  projects.  The 
inability  of  many  state  entities  to  establish  senior  or  board-level  responsibility  for  year  2000  efforts  and  develop 
detailed  project  and  test  plans  places  at  risk  the  likelihood  that  those  entities  will  successfully  address  the  year 
2000  problem  for  their  systems  and  technology.  Only  92  (41%)  of  the  respondents,  indicated  that  they  had 
established  senior  or  board-level  responsibility  for  their  year  2000  project. 

To  ensure  that  mission-critical  and  essential  automated  systems,  supporting  technology,  and  embedded 
technology  are  year  2000  compliant  is  no  trivial  matter.  We  must  ensure  that  appropriate  points  of  accountability 
are  established,  outstanding  impact  assessments  and  project  plans  are  completed,  and  that  strong  project 
management  techniques  are  employed  throughout  the  process.  We  need  to  develop  improved  mechanisms  for 
resource  acquisition  and  budgeting  of  actual  year  2000-related  costs. 

Management  should  be  mindful  that  appropriate  internal  controls  must  be  exercised  when  implementing 
remedial  actions.  Care  must  be  taken  to  employ  strong  control  practices  when  addressing  the  year  2000  problem 
under  the  pressure  of  elapsing  time.  We  remain  greatly  concerned  that,  as  the  century  deadline  approaches, 
internal  control  matters,  such  as  program  changes,  logical  access  security  to  systems  and  data,  and  business 
continuity  planning  may  fall  victim  to  crisis-mode  operations  and  thereby  be  compromised.  Program  and  data 
integrity,  security,  and  confidentiality  must  continue  to  receive  adequate  attention  appropriate  to  their  importance, 
risk,  and  sensitivity.  Business  continuity  planning  takes  on  added  importance  with  the  real  possibility  that  certain 
systems  may  fail  to  meet  their  deadline. 

Delays  in  completing  remediation  and  testing  until  calendar  year  1999  places  the  Commonwealth  at  risk  of 
not  being  able  to  garner  the  needed  resources  internally  or  from  the  marketplace  to  accomplish  year  2000 
compliance  and  develop  workable  contingency  plans  in  time.  There  appears  to  be  an  industry-wide  consensus 
among  year  2000  professionals  with  experience  in  testing  and  validation  that  this  phase  of  a  year  2000  project 
typically  consumes  50  to  60  percent  of  project  time  and  resources.  Because  of  this,  we  remain  very  concerned 
about  the  timely  and  successful  outcome  for  many  entities'  year  2000  efforts.  In  the  ever-shrinking  period  of  time 
remaining  before  the  century  change,  the  Commonwealth  at  large  must  have  as  its  first  priority  ensuring  that 
mission-critical  and  essential  functions  and  services  continue  to  be  provided  when  impacted  by  year  2000-related 
dates. 

To  assist  state  entities  in  addressing  the  year  2000  problem,  this  report  includes  recommendations  within  the 
text  and  listed  in  Appendix  4,  page  70. 
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SURVEY  RESULTS 

Presented  in  this  section  of  the  report  are  the  results  of  our  Phase  2  survey  questionnaire  and  interviews  with 
14  state  entities  and  the  ITD's  Y2K  PMO.  We  have  retained  the  same  report  structure  as  used  in  our  February  3, 
1998  report  on  the  Commonwealth's  preparedness  to  address  the  year  2000  computer  date  issue.  As  such,  the 
subheadings  presented  in  this  section  follow  the  same  order  of  those  in  the  phase  2  survey  questionnaire  with  some 
additional  subheadings  included  to  provide  further  guidance  to  the  subject  matter.  A  copy  of  selected  questions 
from  the  survey  questionnaire,  which  include  statistics  on  responses  for  some  key  questions,  begins  on  page  46. 
In  addition,  recommendations  are  presented  in  indented,  bold  text  in  this  section  and  as  an  action  list  in 
Appendix  4,  beginning  on  page  70. 

Our  office  received  a  total  of  226  completed  surveys.   Some  of  the  completed  surveys  were  deemed  to 
represent  multiple  responses,  either  because  they  were  stated  as  such  or  because  data  processing  services  for 
certain  entities  were  provided  by  a  centralized  information  technology  function  at  another  entity.  We  determined 
that  48  additional  entities  were  represented  in  this  manner.  Therefore,  we  ascertained  that  of  the  total  638  surveys 
distributed,  274  (43%)  of  the  total  population  of  entities  were  represented  in  the  final  responses.  Although  57%  of 
the  entities  failed  to  respond,  those  responding  represented  entities  having  a  substantial  portion  of  the  state's 
information  technology. 

Our  phase  2  survey  does  indicate  that  for  those  entities  responding,  they  were  on  average  progressing  through 
their  year  2000  projects.  Although  the  survey  also  raises  some  serious  concerns  as  to  whether  all  mission-critical 
and  essential  functions  and  services  will  be  operational  when  supporting  systems  are  impacted  by  year  2000- 
related  dates;  some  very  good  efforts  have  been  made  by  a  core  of  entities  to  address  operational  compliance.  The 
Office  of  the  State  Comptroller  continues  to  move  forward  to  ensure  that  the  state's  primary  accounting 
information  system  will  be  ready  in  time.  The  system,  known  as  the  Massachusetts  Management,  Accounting, 
and  Reporting  System  (MMARS)  is  expected  to  be  redeployed  after  remediation  on  December  7,  1998.  Our 
interviews  revealed  that  the  Department  of  Revenue  has  progressed  with  its  efforts  to  ensure  that  its  mission- 
critical  systems  will  be  compliant  in  time.  Other  agencies  that  have  made  good  progress  include  the  Division  of 
Employment  and  Training,  Office  of  Consumer  Affairs,  Registry  of  Motor  Vehicles,  the  Department  of 
Correction,  Division  of  Occupational  Safety,  Office  of  Child  Care  Services,  Operational  Services  Division  (OSD), 
the  Department  of  Veterans  Services,  and  the  Department  of  Mental  Retardation. 

The  PMO  has  presented  some  encouraging  statistics  regarding  the  progress  of  entities  to  address  year  2000 
compliance.  It  continues  to  appear  that  a  core  of  state  entities  are  likely  to  successfully  address  the  year  2000 
issue  in  time,  and  the  results  of  our  phase  2  survey  and  information  provided  by  the  PMO  suggests  that  the  number 
of  entities  likely  to  be  successful  is  increasing.  Although  we  feel  that  entities  have  been  relatively  candid,  much 
of  the  information  is  based  on  "soft"  data.  We  are  concerned  about  those  entities  that  failed  to  submit  year  2000 
survey  information  and  that  the  primary  mechanism  in  place  to  track  entity  status  is  self-reporting.  Although  the 
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new  status  compliance  form,  which  requires  entities  to  list  mission-critical  and  essential  systems,  may  improve  the 
PMO's  system  of  record,  increased  effort  is  needed  to  enhance  the  metrics. 

As  noted  in  our  prior  report,  ITD's  Strategic  Planning  Group  (ITD  SPG)  established  in  the  spring  of  1997  a 
Year  2000  Program  Management  Office,  formed  a  state-wide  year  2000  Users  Group,  hosted  awareness 
programs,  established  a  year  2000  web  page,  and  conducted  seminars  and  workshops  to  promote  best  practices 
for  addressing  year  2000  compliance.   The  Year  2000  Program  Management  Office  (Y2K  PMO)  has 
coordinated  year  2000  activities  with  our  office,  the  Fiscal  Affairs  Division  (formerly  the  Budget  Bureau),  and 
the  Operational  Services  Division.   The  Y2K  PMO  is  responsible  for  coordinating  year  2000  activities, 
promoting  awareness,  exchanging  technical  information  among  the  agencies,  monitoring  statewide  efforts  on 
year  2000  progress,  and  assisting  agencies  in  their  year  2000  projects. 

We  are  concerned  that  the  PMO's  initial  determination  of  what  systems  within  a  given  agency  were  mission 
critical  and  essential  may  have  been  reported  to  PMO  by  staff  who  were  not  sufficiently  high  in  the  organization 
to  fully  understand  the  business  operations  of  the  agency,  or  that  reevaluations  of  these  mission-critical  and 
essential  categories  have  been  made  subsequent  to  the  initial  one  and  not  reflected  in  the  PMO's  tracking  system. 
If  this  were  a  problem,  the  new  compliance  status  form  should  help  remedy  any  discrepancies  within  the  entity 
since  senior  management  from  the  entity  are  required  to  sign  the  form  which  includes  a  list  of  mission-critical 
and  essential  systems. 

We  strongly  support  the  use  of  the  PMO's  compliance  status  report  and  believe  that  its  submission  should  be 
required  for  all  state  entities,  as  well  as  entities  receiving  state  funds.  We  suggest  that  the  form  be  expanded  to 
include  a  required  statement  regarding  efforts  to  ensure  that  mission-critical  and  essential  functions  and  services 
will  be  provided  when  impacted  by  year  2000-related  dates. 

To  coordinate  information  on  the  status  of  year  2000  projects,  we  recommend  that  through  legislative 
initiative  and  coordination  from  the  Governor  that  the  PMO's  authority  be  increased  and  that  all 
entities,  including  the  Judiciary,  constitutional  officers,  authorities,  and  entities  that  receive  state 
funds,  be  required  to  report  on  the  status  of  their  year  2000  efforts.  Such  entities  should  be  required 
to  provide  statements  of  progress  or  assurance  as  to  whether  mission-critical  and  essential  functions 
and  services  will  be  operational  when  impacted  by  year  2000-related  dates. 

In  addition,  ITD  should  establish  accreditation  methodologies  and  standards  to  certify  the  completion 
of  year  2000  projects. 

Awareness 

Although  our  phase  2  survey  focused  more  on  impact  assessment,  planning,  remediation,  and  testing,  a  small 
number  of  entities  indicated  that  a  lack  of  awareness  still  remained  a  problem.  Over  the  past  year,  the  PMO  has 
continued  its  efforts  to  provide  awareness  days,  Y2K  user  group  meetings,  and  disseminate  information  regarding 
year  2000  issues.  In  addition,  the  State  Legislature's  Science  and  Technology  Committees  continue  to  hold 
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hearings  regarding  the  status  of  year  2000  efforts.  We  further  note  that  the  year  2000  issue  has  also  received 
significant  coverage  in  the  general  media. 

We  are  concerned  that  some  entities  may  not  be  sufficiently  aware  of  the  true  benefits  of  I  V&  V,  the  nature 
and  extent  of  the  problem  or  how  to  address  it  for  equipment  with  embedded  technology,  and  for  developing  viable 
contingency  plans.  Executive  management  understanding  and  support  are  required  in  developing  year  2000 
strategies  because  factors  such  as  the  magnitude,  logistics,  and  complexity  of  the  problem  may  serve  as  barriers  at 
lower  levels  within  the  organization.  We  believe  that,  to  foster  appropriate  corrective  action,  further  steps  are 
warranted  to  ensure  that  all  levels  of  management  within  entities  have  a  sufficient  understanding  of  the  problem 
and  its  associated  risks. 

To  achieve  a  broader  spectrum  of  awareness  throughout  the  Commonwealth,  we  recommend  that  the 
Governor  issue  an  executive  order  related  to  year  2000  compliance  responsibilities  and  reporting 
requirements.  The  executive  order  should  include  additional  requirements  for  centralized  reporting 
for  all  state  entities  and  incorporate  instructions  similar  to  those  outlined  in  Secretary  for 
Administration  and  Finance  Charles  Baker's  September  29,  1997  letter  (see  Appendix  6,  page  79). 
The  letter  was  sent  to  all  executive  branch  secretaries  and  department  heads  regarding  year  2000. 

To  ensure  that  all  entities  become  sufficiently  aware  of  the  year  2000  problem  and  how  to  address  it, 
the  Commonwealth  should  continue  to  provide  year  2000  awareness  seminars  across  the  state.  AH 
reasonable  efforts  should  be  made  to  contact  those  entities  that  have  not  been  confirmed  as  having 
developed  appropriate  strategies  to  ensure  operational  viability  of  mission-critical  and  essential 
operations. 

To  keep  informed  of  what  other  parties  are  doing  with  regard  to  the  year  2000  problem,  entities 
should  network  with  each  other,  consult  with  ITD's  Project  Management  Office,  attend  Y2K  user 
group     meetings,     and     use     Internet    websites    as     an     additional     source,     such  as: 

Http://www.magnet.state.ma.us/y2k/  and  Http: //www .isaca.org/yr2000 .htm 

Year  2000  Understanding 

We  continue  to  believe  that  there  are  certain  state  entities  that  may  not  possess  adequate  knowledge  of  the 
year  2000  problem,  or  how  to  address  it.  These  entities  may  consider  the  problem  too  overwhelming  to  address 
and,  as  a  result,  adequate  corrective  action  may  not  be  taken.  Other  entities,  buoyed  by  their  recent  progress  in 
initiating  remediation  efforts,  may  underestimate  the  time  required  for  testing  and  may  fall  prey  to  delays  caused 
by  testing  logistics  and  significant  problems  detected  during  testing. 

Awareness  is  being  enhanced  as  entities  progress  through  their  year  2000  projects  and  learn  more  about  what 
can  be  affected,  the  nature  of  operational  failures,  and  some  of  the  logistical  difficulties  in  completing  remediation 
and  testing.  We  find  this  encouraging;  however,  for  all  but  a  core  of  entities,  further  understanding  is  needed  in 
year  2000  testing,  contingency  planning,  and  embedded  technology  impact  assessment  and  remediation. 
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Assessment 

Our  survey  results  indicated  that  of  the  entities  that  responded,  the  majority  had  completed  their  inventories 
and  impact  assessments  of  mission-critical  and  essential  applications,  software  products,  and  supporting 
technology.   A  smaller  number  of  entities  indicated  that  they  had  not  yet  completed  their  assessments  of  mission- 
critical  and  essential  application  systems  and  technology.    In  line  with  initial  efforts  to  address  year  2000, 
entities  first  concentrated  on  application  systems  and  supporting  technology  and  later  began  the  effort  of 
identifying  and  assessing  the  impact  of  year  2000  on  equipment  with  embedded  technology.    Our  phase  2  survey 
results  confirmed  that  this  was  still  the  case. 


Statewide  Status  of  Y2K  Testing 
of  226  Responding  Entities  as  of  October  20,  1998 
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Figure  1 

At  the  time  of  our  phase  2  survey,  only  63%  of  those  responding  indicated  that  they  had  completed  their 
assessments  of  hardware,  software,  and  data.  Without  a  complete  understanding  of  impact  and  a  clear  picture  of 
what  needs  to  be  done,  we  place  at  risk  our  abilities  to  rectify  the  situation.  Adversely  impacted  are  decisions 
regarding  remedial  actions,  cost  estimates  and  funding  requests,  acquisition  of  necessary  resources,  and 
implementation  of  corrective  strategies.  Inadequate  effort  in  this  area  will  certainly  result  in  year  2000  failures. 

Of  the  respondents  to  our  phase  2  survey,  97  (51%)  of  the  respondents  that  answered  the  question  indicated 
that  they  had  completed  their  inventories  and  prioritization.   A  remaining  37  entities  indicated  that  they  were  in 
the  process  of  completing  this  phase,  with  an  average  level  of  completion  at  75%.   Of  the  54  entities  that 
indicated  zero  level  of  completion,  or  left  it  blank,  the  vast  majority  were  housing  authorities  which  may  have 
low  levels  of  information  technology.  However,  included  within  the  54  entities  were  Medfield  State  Hospital  and 
the  Department  of  Public  Health. 

Our  phase  2  survey  revealed  that  188,  or  83%  of  those  responding  had  completed,  or  were  near  completing 
their  inventories  and  prioritization.  A  portion  of  the  entities  noted  that  they  were  behind  schedule  as  much  as  five 
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months  on  completing  this  phase  of  their  year  2000  projects.    The  survey  also  indicated  a  relatively  high  rate  of 
completion  for  impact  assessment  and  formulating  compliance  strategies.    Here,  187,  or  83%  of  responding 
entities,  indicated  that  they  were,  on  average,  63%  complete  for  hardware,  software  and  data;  and  109,  or  48% 
of  the  responding  entities,  indicated  they  were  88%  complete  for  application  interfaces.    The  lag  in  completing 
assessments  and  strategies  for  embedded  technology  was  indicated  by  the  relatively  low  average  of  46% 
complete  from  180,  or  80%  of  the  entities  responding.   Some  entities  noted  that  they  were  six  months  behind 
schedule  in  this  area. 

Although  progress  has  been  made  in  inventory,  assessment,  and  remediation  activities,  a  great  deal  of  work 
is  yet  to  be  performed  regarding  testing  and  validation,  reintegrating  corrected  systems  with  production 
environment,  and  developing  and  documenting  risk  mitigation  and  contingency  plans.    With  respect  to  the 
current  status  of  year  2000  phases,  as  provided  through  question  one  of  the  phase  2  survey  questionnaire,  one 
must  take  into  account  the  relatively  low  response  rate  on  many  of  the  categories.   Although  some  of  this  may 
be  accounted  for  through  "not  applicable"  responses,  the  figures  could  be  significantly  less  given  that  entities 
that  did  not  respond  had  not  progressed  sufficiently  through  their  year  2000  projects. 

As  noted  in  our  prior  report  for  survey  results  as  of  October  1997,  current  results  indicate  that  impact 
assessments  have  been  focused  first  on  "traditional"  business  application  systems,  with  less  emphasis  on  all  other 
technology  to  follow.  It  is  important  that  the  assessment  of  impact  of  year  2000  be  evaluated  for  the  entire  IT 
environment,  covering  all  automated  systems,  supporting  technology,  and  embedded  technology.  As  a  result,  the 
PMO  may  lack  sufficient,  detailed  information  regarding  a  remaining  portion  of  technology  not  fully  assessed 
which  may,  in  turn,  impact  corrective  action  plans  and  total  remediation  and  contingency  planning  costs. 

At  this  time,  one  would  expect  that  all  inventories  and  assessments  of  impact  for  software,  supporting 
technology  and  equipment  with  embedded  technology  would  be  absolutely  complete.  One  would  also  reasonably 
expect  that  year  2000  project  plans  and  remediation  strategies  would  be  complete.  However,  our  phase  2  survey 
results  indicated  that  there  are  still  entities  working  on  completing  their  inventories,  impact  assessments,  and 
remediation  plans.  Given  the  diminishing  time  period,  determination  of  system  criticality  and  development  of 
contingency  plans  must  be  a  priority  for  these  entities. 

The  phase  2  survey  also  indicated  that,  in  general,  there  is  an  improved  effort  to  address  all  areas  of 
technology.  However,  additional  effort  is  needed  to  adequately  identify  and  assess  the  impact  of  equipment  with 
embedded  technology.  However,  additional  effort  is  needed  to  adequately  identify  and  assess  the  impact  of 
equipment  with  embedded  technology.  Most  organizations  in  the  public  and  private  sectors  focused  their  initial 
year  2000  work  on  application  systems  and  supporting  technology,  and  then  began  the  effort  to  address  embedded 
technology.  We  still  believe  that  there  may  be  serious  risks  should  assessments  and  remediation  efforts  of 
equipment  with  embedded  technology  (e.g.,  HVAC,  security,  utility-related  software,  etc.)  not  be  completed.  It  is 
imperative  that  assessments  of  impact  of  year  2000  be  made  on  all  technologies. 
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At  the  completion  of  remediation  efforts,  we  recommend  that  entities  reconcile  their  completed 
inventories  of  software,  supporting  technology,  and  equipment  with  embedded  technology  with  their 
inventories  of  property  and  equipment. 

Entities  not  having  adequate  resources  to  complete  their  assessments  and  develop  corrective  strategies 
should  contact  ITD's  Year  2000  Program  Management  Office  for  advice  and  assistance. 

To  help  ensure  that  appropriate  controls  are  designed  and  implemented  over  the  IT  environment, 
entities  should  perform  a  risk  analysis  of  threats  and  exposures  on  current  systems  and  IT  operations 
considering  projected  risks  and  exposures  during  the  year  2000  project. 

Based  on  the  results  of  the  assessment  phase,  we  recommend  that  entities  prepare  and  make  available 
a  statement  of  year  2000  impact  on  the  citizens,  other  entities,  and  other  recipients  of  state  services 
provided  by  the  entity's  information  technology.  The  statement  of  impact  should  also  be  used  to 
guide  the  development  of  contingency  plans. 

To  effectively  manage  subsequent  date-related  modifications  in  a  timely  manner,  a  complete  inventory 
of  workarounds  with  sufficient  information  should  be  maintained  and  cross-referenced  to  the  entity's 
IT  strategic  plan.  Entities  should  incorporate  in  their  IT  strategic  plans  efforts  to  phase  out 
workarounds  through  future  modification  or  system  conversion  after  the  turn  of  the  century  as 
appropriate. 

Planning 

Our  phase  2  survey  indicated  that  60,  (27%)  of  the  226  respondents  had  documented  year  2000  plans  that 
were  approved  by  senior  management.  Although  an  improvement  over  the  14  (5%)  of  the  282  entities  as  of 
October  7,  1997  that  responded  to  our  initial  survey  indicated  that  they  had  written  and  approved  year  2000  plans. 
Our  phase  2  survey  also  indicated  that  only  88  (39%)  of  the  respondents  had  set  priorities  as  to  when  systems  or 
technology  needed  to  be  remediated.  We  further  found  that  66  (29%)  of  the  entities  responding  had  planned  for 
completing  comprehensive  assessments  of  year  2000  compliance  for  plant,  equipment,  and  other  infrastructure 
components.  Further,  62  (27%)  of  respondents  indicated  that  their  entity's  strategy  identified  year  2000 
compliance  requirements  of  mission-critical  and  essential  trading  partners  and  suppliers.  Eliminating  the  76 
entities  that  indicated  that  this  was  inapplicable,  the  62  respondents  represent  41%  of  all  other  responses. 

Although  the  phase  2  survey  has  indicated  that  there  has  been  improvement  in  the  level  of  year  2000 
planning,  the  extent  of  documented  and  approved  plans  remains  low  given  the  importance  of  year  2000  projects. 
Of  the  261  mission-critical  and  192  essential  systems  that  were  reported  in  the  PMO's  April-June  1998  status 
report,  167  (37%)  did  not  have  documented  project  plans.  In  addition,  205  (45%)  of  the  mission-critical  and 
essential  systems  did  not  have  documented  test  plans  at  that  time.  While  we  expect  that  the  number  will  grow 
over  the  next  period,  the  number  of  entities  with  documented  plans  and  test  plans  appears  low. 
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Given  the  importance  of  exercising  strong  project  management  techniques  over  year  2000  efforts,  the  absence 
of  documented  and  approved  plans  increases  the  risk  that  not  all  critical  success  factors  for  compliance  or 
operational  viability  will  be  realized.  Regardless  of  the  size  of  an  organization,  or  the  extent  or  complexity  of  its 
technology,  an  entity's  efforts  to  maintain  operational  viability  through  year  2000  compliance  or  contingency 
planning  requires  careful  strategic  and  tactical  planning. 

With  respect  to  year  2000  planning,  we  have  observed  that  there  are  some  basic  assumptions  that  could  be 
erroneous.  Listed  below  are  some  of  the  assumptions  we  continue  to  believe  are  invalid  and  valid  regarding  year 
2000  planning: 

Invalid  Assumptions 

1 .  Year  2000  project  planning  and  implementation  is  the  sole  responsibility  of  the 
information  systems  function. 

2.  Mission-critical  systems  reside  only  on  mainframe  computers. 

3.  Year  2000  compliance  and  business  continuity  planning  validation  is  not  needed  for 
third-party  information  system  vendors  and  business  partners  who  have  plans 
sufficient  to  achieve  year  2000  compliance  in  time  to  meet  the  critical  needs  of  your 
entity. 

Valid  Assumptions 

1 .  Continued  provision  of  mission-critical  and  essential  services  and  operational 
survival  into  the  next  century  should  be  recognized  as  priority  one  for  each  entity. 

2.  The  inability  to  maintain  information  systems  operations  for  mission-critical,  and 
possibly  essential,  systems  beyond  the  time  when  year  2000  dates  are  used 
jeopardizes  an  entity's  viability. 

3.  Year  2000  project  planning  must  be  carried  out  for  the  entire  entity,  not  just  the 
information  systems  department  and  should  address  all  information  systems, 
supporting  technology,  and  embedded  technology-supported  operations. 

4.  Timely  funding  for  all  resources  required  to  carry  out  an  entity's  year  2000  project 
must  be  a  priority  and  budgeted  as  a  cost  of  maintaining  operational  viability. 

5.  Year  2000  testing  and  validation  methods  should  always  be  performed  for  all 
systems  and  technology. 

From  a  planning  perspective,  entities  need  to  adequately  take  into  account  all  critical  dates  that  impact  their 
application  systems  and  technology.  The  identification  of  critical  event  horizons  impacts  available  time  to 
remediate  or  replace  systems  and  technology.  In  addition,  the  success  of  testing  efforts  to  ensure  operational 
integrity  depends  on  identifying  all  critical  dates  for  the  particular  system.  Although  the  PMO  has  made  a  good 
effort  to  draw  to  the  attention  of  entities  certain  dates  other  than  January  1 ,  2000  that  must  be  taken  into  account, 
we  remain  concerned  that  some  entities  may  not  be  adequately  planning  for,  or  testing  for,  all  relevant  dates. 
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Without  comprehensive  testing  in  this  regard,  that  includes  future  date  testing,  it  is  not  possible  to  certify  year 
2000  compliance. 

To  help  ensure  that  entities  identify  and  plan  for  in  their  remediation  and  testing  efforts  all  relevant 
dates,  we  recommend  that  the  PMO's  Commonwealth  Y2K  Compliance  Form  requiring  agencies  to 
indicate  whether  they  plan  to  test  regarding  certain  dates,  such  as  January  1,  2000,  be  expanded  to 
require  additional  dates  and  to  obtain  a  statement  that  the  entity  has  thoroughly  evaluated  critical 
dates. 

To  help  ensure  operational  viability  of  mission-critical  and  essential  functions  and  services,  entities 
should  develop  and  maintain  a  master  Year  2000  Project  Plan  that  addresses  application  systems, 
supporting  technology,  embedded  technology,  and  contingency  plans.  The  plan,  which  should  cover 
the  entire  IT  environment,  should  be  reviewed  and  approved  by  senior  management. 

Until  such  time  as  critical  millenium  dates  have  past  and  year  2000  compliance  is  fully  attained, 
information  technology-related  acquisition  and  development  initiatives  must  address  year  2000 
compliance. 

To  expedite  corrective  efforts,  year  2000  project  plans  should  identify  as  soon  as  possible  the  priority 
of  required  changes  and  resources,  such  as  additional  staff,  analytical  software,  hardware,  and  third- 
party  assistance. 

Given  that  important  systems  need  to  achieve  year  2000  compliance,  we  recommend  that  management 
consider  setting  aside  less  essential  IT-related  projects  where  resources  could  be  reallocated  to  year 
2000  projects.  In  that  light,  we  recommend  that  ITD  identify  ongoing  IT  projects  that  are  non- 
mission  critical  or  not  mandated  by  law  to  which  associated  resources  could  be  reallocated  to  year 
2000  projects.  If  required,  the  Governor  should  consider  postponing  IT  projects  not  mandated  by 
law  in  order  to  free  resources  for  year  2000. 

We  recommend  that  each  entity  establish  appropriate  monitoring  controls  to  track,  evaluate,  and 
report  on  the  progress  of  year  2000  initiatives  and  the  status  of  operational  viability  for  modified 
systems  and  technology  to  address  year  2000  processing  requirements. 

Entities  should  adopt,  at  a  minimum,  contract  and  warranty  language  developed  by  the  Operational 
Services  Division  (OSD)  of  the  Executive  Office  for  Administration  and  Finance  and  include 
additional  terms  and  conditions  as  deemed  appropriate.  We  recommend  that  year  2000  contractors 
be  bonded. 

We  encourage  entities  to  attend  ITD's  Year  2000  User  Group  meetings. 


Massachusetts  Office  of  the  State  Auditor 


99-7055-4Y 


-  19- 


Responsibilities  and  Accountability 

We  remain  concerned  about  the  current  framework  of  accountability  for  ensuring  that  IT  systems  are  year 
2000  compliant.  We  believe  that  there  are  two  potential  problems  with  the  current  framework.  First,  is  the  issue 
of  whether  the  entity  itself  is  sufficiently  empowered  to  carry  out  the  responsibility,  and  second  is  to  whom  the 
responsibility  has  been  assigned  within  the  entity. 

Regarding  the  first  concern,  the  entity  may  lack  sufficient  management,  staff,  or  other  resources  to  adequately 
assess,  plan,  and  implement  year  2000  solutions.  The  entity-specific  assignment  of  responsibility  also  affects 
decisions  made,  or  not  made,  regarding  which  systems  get  modified.  Where  appropriate,  secretariat  level  reviews 
should  be  made  of  decisions  made  by  individual  entities. 

The  second  concern  is  that  the  individuals  assigned  responsibility  for  addressing  year  2000  compliance  may 
be  the  MIS  or  IT  directors  who,  while  playing  a  key  role  regarding  year  2000,  may  not  have  responsibility  for  all 
systems.  Today,  important  computer  systems  and  IT  resources  can  be  found  across  and  within  different 
organizational  boundaries,  as  the  pervasive  nature  of  technology  has  placed  various  IT  operations  outside  of  the 
traditional  IT  departments.  Under  such  circumstances,  it  is  possible  that  adequate  attention  may  not  be  afforded  to 
certain  systems  or  technology  not  residing  under  the  organizational  control  of  the  MIS  director.  In  such  operating 
environments,  because  of  the  critical  importance  of  year  2000  compliance  to  the  entity,  final  responsibility  should 
be  assigned  at  a  senior  executive  level.  Such  an  assignment  would  also  help  regarding  decisions  on  competing 
priorities  and  acquiring  needed  resources. 

Our  current  survey  disclosed  that  only  92  (41%)  of  the  entities  responding  had  established  executive  or  board- 
level  responsibility  for  year  2000  readiness.  Of  the  40  entities  indicating  that  they  had  not  established  this  level  of 
responsibility  were  important  agencies  such  as  the  Department  of  Public  Safety,  Massachusetts  Rehabilitation 
Commission,  Department  of  Mental  Retardation,  three  state  colleges,  and  five  community  colleges. 

From  an  organizational  perspective,  responsibilities  must  be  assigned  to  perform  the  required  technical 
services  and  provide  management  oversight  and  approval  regardless  of  whether  certain  technical  services  are 
outsourced.  In  addition,  entities  need  to  consider  establishing  project  teams  to  address  year  2000. 

To  ensure  that  adequate  attention  and  resources  are  applied  to  the  year  2000  problem,  entities  should 
establish  a  year  2000  project  team  comprised  of  members  who  are  adequately  trained,  possess 
sufficient  technical  knowledge,  and  have  strong  communications  skills.  To  ensure  that  senior 
management  is  kept  fully  aware  of  key  year  2000  issues  and  problem  resolution,  the  year  2000  project 
leader  should  have  direct  access  to  senior  management. 

To  oversee  and  guide  the  entity's  entire  year  2000  project  effort,  year  2000  steering  committees  should 
be  established  at  the  entity  and  secretariat  levels.  At  the  entity  level,  the  steering  committee  should  be 
chaired  by  a  member  of  senior  management,  have  representation  from  key  user  departments,  and 
should  include  the  year  2000  project  leader.  The  year  2000  project-team  leader  should  report  to  the 
steering  committee  for  review,  approval,  and  oversight  of  project  activities.    At  the  secretariat  level, 
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the  steering  committee  should  also  be  chaired  by  a  member  of  senior  management  and  have  adequate 
representation  of  entities  within  the  secretariat. 

Program  Management  Office 

With  respect  to  assisting  entities  in  gaining  an  understanding  of  the  year  2000  problem  and  how  to  address 
it,  the  PMO  has  continued  to  provide  year  2000-related  information  and  training  throughout  the  past  year. 
Discussions  with  a  limited  number  of  agency  personnel  have  indicated  that  entities  that  have  attended  or 
participated  in  PMO-sponsored  Y2K  User  Group  meetings  have  greatly  benefited  from  the  exchange  of 
information.  In  this  regard,  the  PMO  has  established  a  single  point  of  reference  to  which  all  entities  can  turn  for 
year  2000-related  information.  Understandably,  depending  upon  the  information  request,  the  entity  may  be 
directed  toward  another  source.  Although  the  incidence  level  of  entities  attending  awareness  days,  Y2K  User 
Group  meetings,  and  making  inquiries  has  continued  to  grow,  there  are  entities  that  remain  "on  their  own." 
Although  possibly,  to  a  lesser  degree,  there  continues  to  be  a  segment  of  government  that  may  not  have  the 
necessary  understanding  of  the  problem  or  how  to  address  it,  year  2000-related  project  management  skills,  or 
resources  necessary  to  successfully  address  the  year  2000  problem. 

Regarding  monitoring,  given  the  extent  of  the  Commonwealth's  IT  environment,  the  PMO  has  done  an 
excellent  job  in  trying  to  gain  an  understanding  of  a  difficult  problem  and  in  gathering  year  2000-related 
information  on  automated  systems.  Over  the  past  year  and  a  half,  the  PMO  has  established  a  mechanism  of 
monitoring  year  2000  activity  of  169  state  entities.  Information  obtained  from  self-reporting  and  from  site  visits 
is  maintained  in  a  database  and  serves  as  the  basis  for  the  PMO's  quarterly  status  reports.  The  status  reports 
identify  mission-critical  and  essential  systems  per  entity,  noting  their  status  code  with  respect  to  targeted  schedule 
dates.  The  status  reports  also  indicate,  by  mission-critical  and  essential  systems,  the  criticality,  compliance, 
strategy  option,  scheduled  deployment  date,  whether  there  are  documented  project  and  test  plans,  and  the  PMO's 
assessment  of  schedule  risk.  Without  doubt,  these  reports  provide  state  management  with  some  very  good 
information  regarding  systems  and  the  status  of  their  year  2000  efforts.  Based  upon  our  surveys  and  information 
obtained  from  site  visits,  given  the  importance  of  the  year  2000  issue,  we  are  concerned  as  to  whether  the  PMO's 
base  of  information  is  sufficiently  accurate  and  complete.  Based  upon  our  phase  2  survey  results  and  on-site 
interviews,  we  have  detected  some  differences  from  the  information  contained  in  the  PMO  master  list. 
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Our  survey  results  indicated  discrepancies  regarding  the  number  of  mission-critical  and/or  essential  systems 
reported  to  us  by  state  entities,  and  the  corresponding  number  of  systems  listed  in  the  PMO's  most  recent  status 
report.  For  example,  the  MBTA  indicated  that  13  systems  were  mission-critical;  however,  the  PMO  report  listed 
only  six  as  mission-critical.  In  a  more  significant  sample,  Massport  reported  65  mission-critical  systems  in  their 
phase  2  survey  response,  while  the  PMO  report  listed  21  mission-critical  systems.  In  addition,  our  survey 
revealed  that  the  PMO  had  not  included  a  significant  number  of  essential  systems  in  its  report.  For  instance,  of 
the  250  essential  systems  reported  to  us  by  the  Department  of  Corrections  (DOC),  none  was  listed  in  the  PMO 
Report.  The  Appellate  Tax  Board  reported  28  essential  systems  in  their  survey  response,  while  the  PMO  did  not 
list  any  essential  systems  for  the  Board  in  its  report.  Discussions  with  information  system  management  at  one 
entity  indicated  that  future  PMO  Reports  might  be  more  comprehensive  for  their  entity.  From  a  total  perspective, 
as  of  September  1998,  the  PMO  lists  266  mission-critical  and  191  essential  systems.  Although  not  a  strict 
comparison,  respondents  to  the  survey  indicated  that  there  were  415  mission-critical  and  851  essential  systems. 
While  it  is  possible  that  the  PMO's  figures  might  be  slightly  understated  and  those  from  the  entities  might  be 
overstated,  the  totals  should  be  somewhat  closer.  When  informed  of  our  survey  results  in  this  regard,  ITD 
officials  expressed  concern,  and  expressed  a  commitment  to  reconciling  these  differences  and  adding  required 
systems  to  their  tracking  process. 

Mission-critical  and  Essential  Systems  with 
Year  2000-related  Plans 
per  PMO  Report  as  of  June  30, 1998 


□  Mission-critical  and 
essential  systems  with 
project  plans 


□  Mission-critical  and 
essential  systems  with 
test  plans 


Figure  2 

We  are  concerned  that  the  PMO's  initial  determination  of  what  systems  within  a  given  agency  were  mission 
critical  and  essential  may  have  been  reported  to  PMO  by  staff  who  were  not  sufficiently  high  in  the  organization  to 
fully  understand  the  business  operations  of  the  agency,  or  that  reevaluations  of  these  mission-critical  and  essential 
categories  have  been  made  subsequent  to  the  initial  one  and  not  reflected  in  the  PMO's  tracking  system. 

The  Commonwealth  may  gain  a  false  sense  of  security  or  comfort  regarding  year  2000  efforts  should  all 
mission-critical  and/or  essential  systems  and  embedded  technology  not  be  tracked  and  reported  on  regarding  their 
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level  of  compliance  or  projected  operational  viability.  Due  to  the  critical  nature  of  the  year  2000  problem, 
increased  efforts  are  warranted  to  ensure  that  all  mission-critical  and  essential  systems  are  tracked  and  monitored 
for  year  2000  status  and  assessment  of  readiness  so  that  appropriate  contingency  plans  can  be  developed. 

Given  the  importance  of  addressing  the  year  2000  problem,  it  is  imperative  that  all  systems,  supporting 
technology,  and  embedded  technology  be  identified  and  impact  assessments  be  completed.  If  a  particular  system 
or  IT  resource  were  not  identified,  it  might  be  the  result  of  inventory  failure,  or  assessment  failure.  If  the  latter,  a 
mistake  in  identifying  a  system  as  mission-critical  or  essential  places  that  system  in  a  group  of  systems  that  may 
not  be  remediated  or  tracked.  Understandably,  the  importance  of  the  analysis  and  the  decisions  made  at  the  entity 
level  regarding  the  relative  importance  of  the  systems  and  technology  are  crucial  to  the  overall  process  of 
addressing  the  year  2000  issue.  Having  something  missing  from  remediation  efforts  may  be  the  result  of  poor 
triage  decisions.  The  lack  of  sufficient  testing  may  also  result  from  too  little  time  or  from  poor  decisions 
regarding  the  nature  and  extent  of  testing. 
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Total  Estimated  Year  2000  Cost  - 
Top  Ten  State  Entities  Reporting  for  FY  f99 

MBTA  Mass  Bay  Transportation  Authority 
DOR     Department  of  Revenue 
DET     Division  of  Employment  &  Training 
MHD     Mass  Highway  Department 
%<t>  MDAA   Mass  District  Attorney's  Association 

MWRA  Mass  Water  Resources  Authority 
ITD       Information  Technology  Division 
MPA      Mass  Port  Authority 
OSC     Office  of  State  Comptroller 
OSS      Office  of  Secretary  of  State 
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Figure  3 

We  believe  that  the  PMO  is  at  a  point  in  time  when  the  mechanisms  in  place  to  monitor  and  evaluate 
year  2000  progress  need  to  be  strengthened  to  more  accurately  track  the  status  of  entity  projects.  Improvements 
in  measurement  and  frequency  of  reporting  should  provide  management  with  a  better  reading  on  year  2000 
project  status.   We  suggest  that  the  metrics  be  improved  by  tightening  the  level  of  definition  of  project 
requirements,  by  more  closely  identifying  project  slippage  and  causes,  and  by  focusing  on  operational  viability 
factors.   The  latter  forces  one  to  concentrate  efforts  on  making  sure  that  mission-critical,  and  hopefully 
essential,  functions  and  services  will  be  provided  after  being  impacted  by  year  2000  dates.    It  also  emphasizes 
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the  importance  of  contingency  planning.  Each  entity's  success  or  failure  must  be  carefully  monitored  to  provide 
information  to  assist  management  in  reallocating  resources. 

Responsibilities,  scope,  mechanisms  in  place  to  provide  monitoring  and  evaluation  of  Y2K  status,  legislative 
charter,  staffing,  reporting  lines, 

It  is  our  observation  that  ITD's  Strategic  Planning  Group,  through  its  establishment  of  the  Y2K  Program 
Management  Office,  has  developed  an  excellent  resource  for  year  2000  planning  for  the  Commonwealth  and 
individual  state  entities.  Over  the  past  year,  the  Y2K  Program  Management  Office  has  made  substantial  progress 
since  the  group's  inception  in  June  of  1997  and  is  available  to  assist  other  entities  in  addressing  year  2000 
compliance  (see  PMO  report). 


Total  Estimated  Year  2000  Costs  by  100  State  Entites  Responding  for  FY  '99 


i 


Total  Estimated  Costs  for  FY*99  Total  Unfunded  Costs 


□  All  other  states  entities  ■  Authorities 

Figure  4 

Given  time  and  resource  constraints,  entities  need  to  make  difficult  decisions  regarding  which  systems  will 
attain  year  2000  compliance,  how  operational  viability  will  be  assured  for  mission-critical  and  essential  operations, 
which  IT  projects  will  be  delayed,  and  what  efforts  will  be  needed  to  develop  workable  contingency  plans.  The 
understanding  of  the  year  2000  issue  has  significantly  improved  over  the  past  year.  However,  until  a  better 
overall  understanding  is  attained,  especially  in  the  areas  of  embedded  technology  risks  and  solutions,  test 
strategies,  and  methods  for  verifying  compliance,  difficult  decisions  remain  regarding  the  allocation  of  limited 
resources  to  year  2000  testing,  reintegration  of  compliant  IT  resources,  and  development  of  viable  contingency 
plans.  Senior  state  management  needs  to  be  aware  that  delays  in  making  these  decisions  places  at  risk  the  ability 
to  obtain  required  resources  and  attain  operational  viability  for  required  operations.  For  example,  should  external 
resources  be  required,  the  ability  to  engage  sufficient  third-party  assistance  may  be  jeopardized  by  the  market 
itself,  as  private-sector  and  other  entities  external  to  the  Commonwealth  outbid  the  state  in  contracting  for  needed 
services. 
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Year  2000  Funding 

Over  the  past  year,  the  Commonwealth  has  made  good  progress  in  determining  funding  requirements  for  year 
2000  projects.  The  current  estimate  of  cost  from  the  PMO  is  $79  million.  That  appears  to  be  in  line  with  initial 
estimates  derived  from  our  first  survey.  For  fiscal  year  1999,  the  Legislature  has  appropriated  $20.4  million  plus 
an  additional  $4  million  for  year  2000  projects.  Of  69  of  the  entities  responding,  excluding  authorities,  total  cost 
for  the  current  year  is  approximately  $61  million  with  $6.3  million  in  unfunded  costs.  Of  the  31  authorities  that 
responded  estimated  cost  was  $28  million,  while  unfunded  cost  was  $223,000. 

Our  survey  indicated  that  certain  entities  experienced  year  2000  project  delays  due  to  funding  constraints. 
Based  upon  survey  results  and  on-site  interviews,  a  number  of  entities  indicated  that  sufficient  funding  was 
unavailable  for  IV&V  and  the  development  of  contingency  plans. 

To  ensure  a  complete  and  accurate  accounting  of  all  year  2000  project  costs,  an  accounting  should  be  made  of 
funds  drawn  from  operating  budgets  to  pay  for  resources  and  salaries  of  staff  assigned  to  Y2K  projects.  Although 
the  most  important  objective  at  this  time  is  to  successfully  navigate  through  the  year  2000  problem  and  ensure  that 
mission-critical  and  essential  services  can  be  provided  when  the  century  changes,  a  complete  and  accurate 
accounting  of  the  monies  spent  should  be  made.  By  drawing  a  portion  of  the  funds  needed  for  year  2000  projects 
from  operating  budgets,  we  may  be  drawing  funds  from  purposes  for  which  the  appropriations  were  initially  made. 
In  addition,  the  process  tends  to  question  the  methods  used  to  estimate  initial  and  updated  costs. 

A  final  cost  estimate  cannot  be  provided  since  not  all  remedial  plans  have  been  completed,  nor  have  all 
required  IV&V  estimates  or  problems  been  identified  through  testing. 

Entities  should  continue  to  work  closely  with  ITD's  Y2K  Program  Management  Office  and  with  the 
Fiscal  Affairs  Division  to  establish  and  update  year  2000  funding  requirements. 

Year  2000  project  teams  within  entities  should  work  closely  with  their  entity's  fiscal  management  to 
keep  them  informed  of  changes  in  cost  estimates  as  individual  projects  progress. 

Contingency  Plans 

Although  some  effort  has  been  expended  on  contingency  planning,  the  Commonwealth  overall  has  not 
developed  sufficient  contingency  plans  to  ensure  continuity  of  mission-critical  and  essential  services  should 
automated  systems  fail  to  operate  correctly,  or  at  all,  when  processing  year  2000  dates  and  dates  beyond  that  time. 
Our  survey  indicated  that  only  55  (24%)  of  entities  responding  had  developed  contingency  plans  for  mission- 
critical  systems  and  61  (27%)  for  essential  systems.  Given  that  a  "fail  safe"  level  of  year  2000  testing  will  not  be 
made,  contingency  plans  should  be  in  place  for  all  mission-critical  systems. 

There  are  some  inherent  difficulties  facing  the  Commonwealth  regarding  the  development  of  viable 
contingency  plans.  First,  because  of  the  nature  and  volume  of  some  system  operations,  it  is  exceedingly  difficult 
to  develop  alternate  processing  capabilities  with  different  technology  or  with  increased  staffing.   In  some  cases,  it 
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may  not  be  feasible  to  establish  non-IT  operations  sufficient  to  handle  required  processing  needs.   Second,  some 
contingency  plans  purported  as  being  already  developed  may,  in  fact,  not  be  practical.  For  example,  a 
contingency  plan  to  address  embedded  technology  failures  for  transportation  switches  requires  that  a  flagman  be 
located  at  each  switch.  The  problem  is  that  such  an  operation  may  require  more  knowledgeable  staff  than 
available,  or  the  operation  will  only  be  able  to  safely  handle  a  small  percentage  of  the  normal  volume.  Third, 
funding  and  expertise  to  develop  and  test  contingency  plans  may  not  be  currently  available.  And  last,  what  might 
be  reasonably  considered  as  viable  plans  could  be  at  risk  due  to  failures  in  public  services  for  electrical  power, 
water,  sewerage,  and  other  utilities. 

The  primary  responsibility  for  contingency  planning  rests  with  senior  management.  Although  the  IT 
Department  should  advise  and  participate  in  the  development  of  contingency  plans,  senior  management's  primary 
delegation  for  such  plans  should  be  to  business  function  managers  and  system  users. 

Given  the  current  status  of  year  2000  efforts  and  that  sufficient,  comprehensive  testing  has  yet  to  be 
performed,  it  is  likely  that  certain  systems  will  not  attain  year  2000  compliance  in  time  and  that  alternative 
processing  methods  will  be  needed.  We  believe  this  to  be  the  case  because  entities  currently  involved  in 
comprehensive  testing  report  that  difficulties  they  encountered  in  testing  have  been  greater  than  originally 
anticipated.  Because  of  this,  it  will  be  advisable  for  many  entities  to  halt  code  remediation  activities  at  some  point 
late  in  calendar  year  1999  in  order  to  place  a  moratorium  on  further  changes  and  to  concentrate  efforts  on 
contingency  planning  thereafter.  This  approach  may  be  required  so  that  system  owners  and  users  will  know  which 
automated  mission-critical  and  essential  functions  will  work  and  can  then  concentrate  all  efforts  on  what  to  do  for 
those  systems  that  will  not  work.  Once  plans  are  developed  that  are  ostensibly  viable,  it  will  be  prudent  to  field 
test  contingency  plans  at  some  point  late  in  calendar  1999  by  actually  shutting  down  automated  systems.  This 
kind  of  testing  is  especially  important  for  those  automated  functions  that  are  expected  to  fail  after  December  3 1 , 
1999. 

To  help  ensure  that  all  areas  of  risk  are  considered  in  the  entity's  risk  model,  risk  management  should 
be  categorized  into  three  areas  of  concern:  a.  avoidance  and  mitigation,  b.  emergency  response,  and  c. 
contingency  planning,  and  business  resumption  and  recovery. 

To  ensure  that  appropriate  contingency  plans  are  in  effect,  entities  should  establish  business 
continuity  planning  (BCP)  task  forces  for  each  mission-critical  and  essential  business  process.  Task 
force  members  should  come  from  line  management  and  operations  personnel,  and  should  not  contain 
members  who  are  doing  program  code  remediation. 

To  help  ensure  viable  operations  and  protect  services,  entities  should  establish  contingency  plans  for 
all  mission-critical  and  essential  systems,  but  with  special  attention  to  those  for  which  there  is  either  a 
likelihood  that  the  systems  will  not  attain  year  2000  compliance,  or  for  systems  that  will  not  be  made 
year  2000  compliant  in  time. 
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Continuity  planning  should  also  include  provisions  and  exigencies  regarding  the  possibility  of  loss  of 
public  utilities  services  (e.g.,  electricity,  gas,  transportation,  and  water  and  sewer)  over  an  extended 
period  of  time. 

To  help  ensure  delivery  and  the  entity's  "place  in  line,"  entities  should  negotiate  with  vendors  ahead  of 
time  for  support  services  and  supplies  for  the  period  following  01/01/00.  Alternative  backup  data 
processing  facilities  may  be  overrun  with  requests  for  services,  and  fuel  delivery  services  for  backup 
generators  may  be  overwhelmed  with  requests  for  deliveries.  These  and  other  scenarios  need  to  be 
carefully  planned  for  ahead  of  time. 

We  recommend  that  entities  strengthen  backup  procedures  for  on-site  and  off-site  storage  of  backup 
media;  determine  whether  a  more  aggressive  backup  schedule  is  warranted;  and  exercise  dual  control 
over  off-site  backup  copies  for  all  mission-critical  and  important  systems. 

We  again  recommend  that  entities  develop  contingency  plans  for  all  mission-critical  and  certain  essential 
systems  for  which  there  is  either  a  likelihood  that  the  systems  will  not  attain  year  2000  compliance,  or  for  systems 
that  support  critical  operations  for  which  the  systems  will  not  be  made  year  2000  compliant  in  time.  We  are 
concerned  that  the  development  of  viable  contingency  plans  is  a  huge  undertaking,  one  that  may  pose 
insurmountable  barriers  to  ensuring  that  acceptable  levels  of  service  will  be  provided. 

System  Modification 

Our  phase  2  survey  results  indicated  that  approximately  40%  of  the  entities  responding  were  in  the  conversion 
and  replacement  phase  for  system  modification.  Of  this  group,  the  average  level  of  completion  for  conversion  and 
replacement  was  66%;  however,  some  entities  indicated  that  they  were  as  much  as  three  months  behind  schedule 
for  their  mission-critical  systems. 

Clearly,  what  is  important  at  this  point  is  to  specifically  determine  what  remains  to  be  modified,  closely 
monitor  the  status  of  conversion  efforts,  and  exercise  good  internal  controls  over  the  program  change  control 
process.  It  is  during  the  system  modification  phase  that  entities  actually  make  the  changes  to  their  application 
systems,  whether  converting  code,  building  window  or  bridge  code  to  temporarily  defer  the  year  2000  problem, 
eliminating  code,  building  workarounds,  or  replacing  hardware  and  software.  Programming  changes  should  be 
carried  out  by  in-house  and/or  vendor  programmers,  consistent  with  the  solution  designed  in  the  assessment  and 
planning  phases.  In  all  instances,  it  will  be  important  to  consider  the  complex  interdependencies  among  systems 
and  applications,  whether  in-house  or  through  external  entities.  During  this  and  subsequent  phases,  management 
must  ensure  that  adequate  project  management  is  in  place  and  that  internal  control  is  maintained  over  system  and 
data  security,  confidentiality,  and  all  program  changes  and  versions. 

The  failure  of  entities  to  exercise  an  appropriate  level  of  controls  over  the  process  of  modifying  systems  for 
year  2000  could  result  in  systems  that  fail  to  function  as  intended,  or  at  all,  or  in  systems  that  produce  erroneous 
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results  that  could  remain  undetected  for  an  extended  period  of  time.  As  with  any  program  change  process,  it  is 
necessary  that  controls  be  in  effect  to  ensure  that  source  and  object  code  are  kept  in  sync.  It  is  also  advisable  that 
management  ensure  that  there  are  adequate  backup  copies  of  mission-critical  data  files  and  programs  for  all 
platforms  prior  to  year  2000  remedial  actions.  The  backup  copies  will  serve  as  documentation  of  electronic  files 
prior  to  year  2000  modification,  and,  as  stated  earlier,  many  original  programs  may  be  useful  to  run  archival 
reports  in  the  future,  if  archival  data  is  too  extensive  to  convert. 

Legislative  initiatives  resulting  in  mandated  changes  to  automated  systems  should  take  into 
consideration  the  impact  on  critical  year  2000  projects  along  with  the  assessment  of  other  usual  factors 
such  as  cost/benefit,  technical  feasibility,  security,  and  business  continuity  planning.  Management 
initiatives,  as  well,  should  assess  the  impact  on  year  2000  projects. 

To  ensure  consistency  in  making  year  2000  required  program-code  changes,  to  provide  a  means  of 
control,  and  to  provide  an  audit  trail  of  what  was  changed,  when,  and  by  whom,  we  recommend  that 
program-change-control  software  be  used  on  all  year  2000  projects  that  are  deemed  to  be  of  sufficient 
complexity  to  warrant  its  use. 

To  ensure  that  entities  can  recover  from  possible  errors  that  may  render  that  code  unusable,  we 
recommend  that  entities  maintain  full  backup  copies  of  files  and  systems  prior  to  remedial  activities. 

We  recommend  that  state  entities  establish  control  procedures  to  ensure  that  future  development  and 
software  maintenance  is  year  2000  compliant. 

The  year  2000  issue  is  a  managerial  problem,  best  solved  by  strong  project  management  techniques. 
Although  at  first  glance,  correcting  the  year  2000  problem  may  appear  to  be  a  relatively  simple,  technical  problem 
("after  all,  programmers  need  only  to  add  two  fields  to  date  formats")  it  may  present  a  daunting  project 
management  challenge.  The  project  management  skills  required  include,  in  addition  to  planning,  organizing, 
staffing,  directing,  and  coordinating,  clearly  defined  projects  with  specific  deliverables,  clearly-defined  points  of 
accountability,  monitoring,  and  status  reporting. 

Entities  should  establish  a  year  2000  master  plan  to  address  all  segments  of  the  IT  environment  requiring  year 
2000-related  project  work.  Regarding  year  2000  planning  efforts,  it  is  necessary  that  entities  ensure  that  there  are 
adequate  controls  in  place  for  the  ongoing  review  and  update  of  the  master  plan  as  the  project  moves  forward. 
Management  will  need  to  put  in  place  a  methodology  to  anticipate  when  resource  levels  greater  than  those 
expected  will  be  required.  In  addition,  it  is  essential  that  entities  keep  track  of  the  entire  project,  applying 
feedback  and  lessons  learned  inside  and  outside  of  the  project  to  future  project  areas. 

As  systems  are  modified  to  attain  year  2000  compliance,  entities  may  need  to  access  prior  data  that  has  been 
stored  in  electronic  form.  Here,  the  entities  will  need  to  address  backward  compatibility  in  order  to  access 
unmodified  existing  data  and  archival  data.  Entities  must  plan,  if  they  are  to  retrieve  archival  data.  Some 
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archival  data  may  be  converted  to  year  2000  compliant  formats;  however,  other  data  files  may  not  be  converted 
due  to  volume  or  other  reasons.  Backward  compatibility  may  require  that  original  program  versions  and  those 
programs  that  have  attained  compliance  are  maintained  and  available  to  process  converted  and/or  non-converted 
data  for  a  prescribed  period  of  time.  In  other  circumstances,  data  files  that  are  not  to  be  converted  to  a  year  2000 
compliant  format  may  be  accessed  using  bridge  programs  to  read  the  data. 

To  allow  access  and  processing  of  existing  and  archival  data,  we  recommend  that  entities  plan  for 
either  conversion  of  such  data,  or  the  provision  of  an  alternate  means  of  processing  such  data. 

System  Access  Security 

Regarding  system  access  security,  it  is  recommended  that  management  review  access  security  policies  and 
procedures  to  determine  whether  current  controls  are  appropriate.  Managers  must  ensure  that  individual 
accountability  is  enforced.  In  most  environments,  there  will  be  a  need  to  sufficiently  prohibit  unauthorized  access 
and  to  document  all  access  and  actions  taken.  Because  outside  contractors  may  be  engaged,  managers  need  to 
ensure  that  access  privileges  for  contracted  third-party  staff  are  promptly  deactivated  when  the  contracted  parties 
are  no  longer  authorized  to  have  access,  or  upon  their  termination  from  the  projects  or  contracts.  For  some 
application  systems,  the  issue  of  confidentiality  of  sensitive  data  may  require  that  special  precautions  be  in  effect 
to  ensure  that  data  files  are  adequately  protected  during  the  data  conversion  phases  of  the  year  2000  project  and  to 
ensure  that  all  backup  copies  are  comparably  protected. 

We  recommend  that  management  review  access  security  policies  and  procedures  to  determine  whether 
current  controls  are  appropriate.  To  maintain  the  integrity  and  the  required  level  of  security  over 
production  libraries,  entities  should  have  adequate  controls  in  place  to  protect  on-line  and  archival 
data  flies  from  unauthorized  access  and  modification. 

To  promote  adequate  internal  controls,  we  recommend  that  managers  ensure  that  individual 
accountability  is  enforced  and  that  unauthorized  access  to  year  2000  programs  and  data  is  specifically 
prohibited. 

Documentation 

Documentation  is  one  of  the  fundamental  components  of  internal  control.  Not  only  is  the  documentation  of 
the  entire  system  necessary  (overview  to  detailed  specifications),  but  adequate  management  trails  of  changes  to  the 
systems  must  be  in  place  in  order  to  permit  their  review  and  allow  for  corrective  action,  if  needed.  Clearly, 
documentation  is  vital  for  a  variety  of  purposes,  including  the  updating  of  program  code,  user  manuals,  and 
training  materials.  Data  input  screens  may  need  to  be  modified  to  allow  users  to  input  the  two-digit  century 
designation  and  reports  may  need  to  be  changed  to  reflect  the  century  designation.  It  is  essential  that 
documentation  be  appropriately  updated  as  the  project  moves  forward,  or  as  soon  thereafter  as  is  possible. 
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Programmers  and  others  working  on  the  year  2000  project  must  be  required  to  maintain  detailed  documentation  on 
all  year  2000  activities.  Failure  to  adequately  document  year  2000-related  system  changes  and  related  user 
documentation  may  result  in  costly  and  time-consuming  errors  in  the  future. 


Year  2000-Related  Plans  as  reported  by  226  Responding  Entities 
per  OSA  Survey  as  of  October  20,  1998 


3 27%  29% 
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Figure  5 


Testing 

Our  survey  indicated  that  only  52  (23%)  of  responding  entities  had  established  written  standards  and 
procedures  to  test  mission-critical  and  essential  systems,  computer  control  devices,  and  other  IT-related  products 
which  are  now  considered  year  2000  compliant.  Similarly,  our  survey  demonstrated  that  only  53  (23.4%)  of 
responding  entities  had  performed  unit,  system,  and  integration  tests  for  each  converted  or  replaced  system 
component.  Of  equal  importance,  yet  even  more  troubling,  is  the  fact  that,  according  to  our  survey,  only  20 
responding  entities  (9%)  have  had  independent  verification  and  validation  (IV&V)  testing  of  year  2000 
compliance  done  on  their  remediated  systems  (see  figure  1,  page  14). 

The  value  of  testing  to  determine  year  2000  compliance  cannot  be  underestimated.  The  goal  of  such 
testing  is  to  ensure  that  applications  and  firmware  will  correctly  process  date-related  information  and  calculations 
with  regard  to  dates  related  to  year  2000  and  beyond.  If  thorough  testing  of  mission-critical  and  essential  systems 
is  not  performed,  entities  cannot  be  assured  that  their  systems  are  year  2000  compliant. 

Unit  testing  of  modules  and  other  isolated  code  components  should  first  be  tested  separately,  followed  by 
integration  testing  of  various  modules  and  routines.  Upon  successful  completion  of  these  tests,  full  system  testing 
should  be  performed.  System  testing  can  be  more  easily  and  thoroughly  done  in  a  separate  test  environment,  and 
probably  with  better  results,  because  unexpected  problems  between  the  various  IT  components  can  be  found  and 
corrected. 
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Other  specific  types  of  tests  should  include,  but  not  be  limited  to,  first  pass,  high-level  compliance 
assessment  tests  to  quickly  determine  whether  the  code  in  question  has  a  year  2000  problem;  current  date 
regression  testing  to  ensure  that  remediation  efforts  have  not  inadvertently  introduced  changes  that  adversely 
affect  current  date  processing;  future  date  regression  testing  to  ensure  that  the  application  and  its  external 
components  can  correctly  process  dates  in  the  next  century;  boundary  date  testing,  which  tests  for  proper  date 
processing  for  routines  that  involve  dates  in  both  centuries  or  dates  before,  at,  and  after  windowing  cut-off  dates, 
etc.;  external  interface  tests,  which  test  for  consistent  and  proper  handling  of  code  regarding  date  formatting,  and 
bridging  and  windowing  routines  and  finally,  fault  tolerance  testing,  which  tests  for  an  application  system's  ability 
to  detect  and  prevent  bad  data  from  outside  automated  sources. 

Often,  software  is  used  to  isolate  date -related  code  for  remediation  purposes.  In  these  instances,  the 
output  of  the  software  search  can  result  in  finding  all  instances  of  dates,  but  sometimes  can  also  result  in  false 
positives  (i.e.,  when  code  appears  to  be  date  related,  but  is  not)  and,  in  some  cases,  false  negatives  (i.e.,  when  code 
does  not  appear  to  be  date  related,  but  actually  is).  False  positives  may  present  a  situation  where  code  is 
remediated,  but  should  not  have  been.  In  this  case  the  code  will  not  perform  as  intended,  but  this  should  be 
disclosed  in  testing  routines.  However,  false  negatives  can  present  an  even  greater  problem  should  the  code  in 
which  the  false  negative  resides  not  be  tested.  In  this  scenario,  the  non-remediated,  and  therefore  non-compliant, 
code  will  not  be  discovered  until  it  causes  the  failure  of  the  live  production  system  after  encountering  a  year  2000 
date.  It  is  for  this  reason  that  all  mission-critical  and  certain  essential  code  should  be  tested;  even  if,  up  to  the 
time  of  the  test,  no  year  2000-related  changes  have  been  made  to  some  segments  or  modules  where  it  would 
appear  that  testing  is  unnecessary. 

In  traditional  information  systems  environments,  year  2000  remediation  efforts  are  required  for  all  areas  of 
technology,  including  the  application  system,  other  programs  with  which  the  application  interacts,  the  operating 
system,  the  platform  on  which  they  reside,  and  in  some  cases,  special  windowing  or  bridge  software  and  other 
network-related  IT  equipment.  To  avoid  multiple,  simultaneous  year-2000-related  failures  given  the 
interoperability  of  all  of  these  various  components,  year  2000  future-date  simulation  testing  must  be 
simultaneously  tailored  to  each  component  throughout  the  testing  process.  Future  date  testing  should  address  all 
dates  related  to  the  new  millennium.  These  might  include,  but  should  not  be  limited  to,  those  in  1999  that  are 
associated  with  fiscal-year  2000  processing,  special  character  dates  (such  as  09/09/1999  that  may  have  specific 
meanings  like  "end  of  file"  or  "delete  file"  etc.),  first  day  of  2000  (01/01/2000),  first  business  day  in  2000 
(01/04/2000),  leap-year  day  (02/29/2000),  and  days  that  pertain  to  the  cutoff-date  boundaries  around  in-use 
windowing  routines. 

In  the  absence  of  such  testing,  multiple,  simultaneous  failures  could  occur,  resulting  in  extraordinary 
durations  of  downtime.  The  downtime  could  occur  because  identifying  the  problem  component(s),  isolating  the 
failure  point(s)  in  each  component  and  remediating  or  replacing  component  problems  at  each  failure  point  will  be 
difficult  and  time-consuming  at  best.  In  addition,  incomplete  testing  with  regard  to  systems  that  communicate 
with  each  other  (such  as  with  trading  partners,  federal  systems,  or  for  EDI-related  transactions)  can  result  in 
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situations  where  data  transferred  between  and  among  systems  will  appear  to  be  error  free,  but  in  fact  are  not. 
Such  a  situation  could  proceed  for  some  time  before  discovery,  resulting  in,  for  certain  high-volume  throughput 
systems,  the  very  real  risk  that  database-integrity  will  be  lost. 

Because  of  the  depth  and  breadth  of  technology  that  often  needs  to  be  remediated  or  replaced  to  become 
year  2000  compliant,  testing  is  best  done  in  a  separate  test  environment.  When  this  is  not  possible,  and  testing 
may  be  done  on  the  production  computer  in  a  separate  logical  area,  entities  need  to  recognize  that  unforeseen  year 
2000  problems  may  go  undetected  unless  test  scripts  include  tests  related  to  the  required  updated  hardware  and 
operating  system  environment,  utilities  and  other  automated  routines  separate  from  the  primary  application  system. 

Given  the  tight  time  frame  and  the  scarcity  of  knowledgeable  technical  staff,  entities  need  to  determine  an 
optimal  level  of  testing  that  is  necessary  in  the  given  circumstance  to  adequately  ensure  year  2000  compliance. 
However,  the  testing  process  needs  to  be  tightly  managed  so  as  to  avoid  overtesting  and  unnecessary  time  lapses 
between  test  routines.  In  this  regard,  we  believe  that  non-year  2000  changes  should  generally  not  be  commingled 
with  year  2000  remediation  work  and  tests,  since  any  problems  related  to  such  unrelated  work  could  unnecessarily 
slow  the  pace  of  year  2000  compliance  efforts. 

Upon  completion  of  year  2000  testing  within  the  entity,  independent  verification  and  validation  (IV&V) 
testing  should  be  performed  on  all  mission-critical  systems  and  on  essential  systems  as  deemed  appropriate  by 
management  and  to  the  extent  possible  given  the  time  constraints.  Because  time  is  of  the  essence  in  the  IV&V 
process,  application-system  specific  test  scripts,  cases,  and  data  need  to  be  carefully  planned  and  managed  so  that 
disclosed  errors  and  exceptions  are  easily  understood  and  can  be  quickly  remediated.  User  reviews  of  test  outputs 
should  be  viewed  as  a  form  of  acceptance  testing.  Here,  the  user  is  reviewing  for  unexpected  results,  inasmuch  as 
the  system  should  operate  and  calculate  no  differently  than  prior  to  remediation,  except  that  the  advent  of  year 
2000  should  now  be  transparent. 

In  no  case  should  the  absence  of  funding  be  used  as  an  excuse  for  not  performing  required  testing, 
including  IV&V,  on  mission-critical  and  essential  systems.  In  this  regard,  state  entities  (excluding  authorities) 
need  to  seek  and  receive  the  assistance  of  the  Fiscal  Affairs  and  Information  Technology  Divisions  to  quickly 
resolve  any  perceived  funding  shortfalls. 

To  help  ensure  that  year  2000  compliance  testing  is  accomplished  in  the  most  efficient  and  effective 
manner  given  time  constraints,  entities  should  do  only  as  much  testing  as  necessary  to  ensure  year 
2000  compliance. 

To  reduce  the  amount  of  testing,  testing  should  be  limited  through  the  development  of  test 
requirements,  smart  test  script  procedures,  and  definitions  of  desired  test  outputs. 

Entities  with  large,  complex  systems  should  establish  a  specialized  testing  and  compliance  team.  To 
accomplish  this,  we  recommend  that  entities  use  the  best  available  technical  knowledge  with  required 
skill  sets  to  develop  test  tools  and  scripts.  Such  entities  should  also  implement  a  year  2000-test  facility. 
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To  ensure  the  adequacy  of  testing,  we  recommend  that  entities  develop  and  document  test  and 
validation  plans  for  each  converted  or  replaced  application  or  system  component,  and  implement 
automated  test  tools  and  scripts  as  appropriate  to  the  automated  system  being  made  year-2000 
compliant. 

To  help  ensure  uniformity  of  compliance  results,  entities  should  perform  unit,  integration,  and  system 
tests  on  each  converted  or  replaced  system  and  system  component.  Testing  should  also  include,  but 
not  be  limited  to,  data  aging,  date  simulation,  regression,  performance,  stress,  forward  and  backward, 
source-code  auditing,  interoperability,  mainframe,  mini-,  and  microcomputers  (white  box),  and 
equipment  with  embedded  technology  (black  box),  as  appropriate. 

To  ensure  that  the  full  range  of  operational  requirements  are  considered  and  remediated,  system 
testing  should  include  the  operation  of  features  that  go  beyond  the  application  code  itself,  such  as 
those  for  restart  and  recover,  diagnostics,  automatic  purge,  automatic  backup,  alarm  events,  etc. 

To  help  maintain  and  ensure  data  integrity,  entities  that  have  applications  systems  that  receive  data 
from  outside  sources  should  use  artificial-intelligence  audit  tools  to  dynamically  screen  for  data 
corruption  from  such  outside  sources.  Entities  should  also  assess  the  degree  to  which  software  tools 
can  be  used  to  prevent  and  detect  the  importation  of  incompatible  date-formatted  or  corrupted  data. 

To  help  ensure  year  2000  compliance  for  mission-critical  and  essential  systems,  entities  should  retest 
with  newly  developed  automated  test  tools,  as  they  become  available. 

Independent  verification  and  validation  testing  should  be  performed  on  all  mission-critical  and  certain 
essential  systems. 

Entities  should  develop  and  document  a  strategy  for  testing  contractor-converted  or  replaced 
applications  or  system  components. 

Entities  should  track  the  testing  and  validation  process  and  collect  and  use  project-related  statistics  to 
manage  it. 

Implementation  of  Remediated  Software 

After  remediated  software  has  been  successfully  tested  and  accepted  by  management  and  users  have  verified 
the  apparent  correctness  of  systems  outputs,  the  modified  systems  would  be  reintroduced  to  the  production 
environment.  It  is  important  that,  from  that  time  forward,  all  input  of  data  containing  year  fields,  including  those 
from  outside  the  entity,  conforms  to  the  new  year  field  standard,  e.g.,  CCYY. 

As  systems  are  reintroduced  within  the  production  environment,  careful  consideration  should  be  given  to  the 
interrelationships  of  systems,  whether  internal  or  external  to  the  entity,  so  that  data  flows  between  systems  remain 
in  sync  with  regard  to  date  fields.  Systems  should  be  brought  back  into  production  as  soon  as  possible,  after 
testing  has  been  successfully  completed.  In  this  regard,  temporary  bridge  programs  may  be  required,  as 
remediated  systems  are  required  to  operate  with  those  that  are  not  yet  remediated.  In  other  instances,  windowing 
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may  be  required.  When  using  windowing,  care  must  be  taken  to  keep  data  communications  in  sync  when 
windows  with  different  assumptions  are  involved. 

To  help  maintain  and  ensure  data  integrity,  entities  that  have  applications  systems  that  receive  data 
from  outside  sources  should  use  artificial-intelligence  audit  tools  to  dynamically  screen  for  data 
corruption  from  such  outside  sources.  Entities  should  assess  the  degree  to  which  software  tools  can  be 
used  to  prevent  and  detect  the  importation  of  incompatible  date-formatted  data. 

Reporting 

It  is  important  that  entities  establish  a  formal,  centralized  reporting  system  for  year  2000  project  status,  and  require 
submittal  of  exception  reporting  to  senior  management  for  review.  In  addition,  special  attention  should  be  given 
to  year  2000  compliance  efforts  for  the  Commonwealth's  mission-critical  systems  that  are  significantly  delayed. 

Entities  should  keep  their  client  base  informed  as  to  what  actions  have  been  taken  to  ensure  year  2000 
compliance  for  systems  (and  subsequent  status),  especially  when  those  clients  are  dependent  upon  the 
entity's  systems. 

Legal  Issues 

There  are  enormous  legal  implications  regarding  the  year  2000  issue.  Some  legal  experts  have  predicted  that 
year  2000  noncompliance  cases  will  comprise  the  single  largest  litigation  expense  in  history,  incurring  legal  costs 
that  could  surpass  $1  trillion.  Beyond  the  interdependencies  forged  through  electronic  transfer  of  data  and 
electronic  commerce  are  the  expectations  of  delivery  of  service,  safeguarding  the  integrity  of  information  held  in 
trust,  and  safeguarding  assets  that  may  be  at  risk  should  litigation  result  from  systems  or  technology  that  fail 
because  they  are  not  year  2000  compliant. 

It  is  a  primary  responsibility  of  management  to  perform  strategic  planning  sufficient  to  ensure  that  an  entity's 
mission  can  be  carried  out,  that  mission-critical  systems  will  operate  as  intended,  and  that  the  information  and  data 
those  systems  generate  will  have  integrity.  Management  responsibilities  include  having  in  place  internal  controls 
to  provide  reasonable  assurance  that  operational  objectives  will  be  achieved  and  that  undesired  events  will  be 
prevented  or  detected  and  corrected.  In  carrying  out  its  planning  and  operational  obligations,  management  must 
exercise  due  care,  or  in  some  cases  due  professional  care.  To  help  steer  clear  of  charges  of  negligence,  or  to 
defend  against  such  charges,  management  should  be  able  to  demonstrate  that  it  exercised  due  care.  We  believe 
that  with  respect  to  year  2000,  entities  should  be  able  to  demonstrate  that  they  adequately  assessed  their  entire 
information  technology  environment  and,  at  a  minimum,  made  a  good  faith  effort  to  implement  corrective 
strategies  for  mission-critical  and  essential  systems  and  technology.  That  good  faith  effort  should  include 
informing  users  of  systems  and  or  trading  partners  of  the  status  of  year  2000  compliance.  Clearly,  the  issue  of 
demonstrable  due  professional  care  will  become  increasingly  important  if  systems  fail  to  operate  properly,  or  at 
all,  because  of  the  year  2000  problem.  It  is  therefore  somewhat  troubling  that,  of  the  226  survey  respondents, 
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only  88  (39%)  indicated  that  they  were  documenting  their  year  2000-project  efforts  sufficient  to  demonstrate  due 
diligence.  Another  aspect  of  due  care  is  that  entities  need  to  keep  clients,  customers,  and  service  recipients 
informed  as  to  the  impact  of  loss  of  mission-critical  operations  and  of  the  probability  of  such  loss.  It  is  even  of 
greater  concern  that  of  the  226  respondents,  only  26  (12%)  had  developed  a  statement  of  impact  of  loss  of  mission- 
critical  and  essential  systems  and  technology  indicating  the  degree  to  which  business  operations  would  be 
negatively  impacted  should  the  year  2000  problem  not  be  successfully  addressed. 

The  Operational  Services  Division  (OSD)  of  the  EOAF  has  developed  and  implemented  a  policy  of  requiring 
vendors  which  are  to  be  listed  on  the  state's  "blanket  contract"  to  sign  a  year  2000  compliance  statement.  The 
year  2000  compliance  statement  stipulates  that  all  goods  and  services  delivered  by  the  signatory  vendor  must 
comply  with  the  requirements  of  year  2000,  imposes  certain  penalties,  and  indemnifies  the  state  for  breaches  in 
goods  and  services  delivered  under  said  contracts,  resulting  from  year  2000  noncompliance. 

Care  must  be  taken  to  ensure  that  copyrights  are  not  violated  and  that  proprietary  information  is  appropriately 
protected  against  unauthorized  access,  use,  and/or  disclosure.  If  an  entity  does  not  own  the  software  product  it  is 
using,  it  should  not  be  modified  for  year  2000  unless  the  license  agreement  allows  for  such  modification.  When 
there  is  a  question  regarding  copyright  issues,  management  should  consult  the  software  vendor. 

Entities  occasionally  have  agreements  with  third-party  software  providers  whereby  the  application  program's 
source  code  is  held  in  escrow  as  a  protection  against  the  vendor  going  out  of  business  or  otherwise  defaulting  on 
contractual  agreements.  When  program  code  is  held  in  escrow,  the  vendor  would  be  required  to  modify  the 
software  for  year  2000  compliance  as  part  of  the  software  license  agreement;  however,  entities  need  to  ensure  that 
the  escrowed  copy  of  the  source  code  is  updated  in  accordance  with  the  compliant  version. 

Some  state  entities  are  dependent  upon  and  are  awaiting  vendor  solutions  promised  by  software  vendors. 
Many  entities  are  also  awaiting  vendor-promised  "fixes"  for  year  2000  hardware  compliance.  In  some  instances, 
it  is  expected  that  vendors  will  be  unable  to  deliver  promised  "fixes,"  and  others  may  go  out  of  business  rather 
than  suffer  costly  litigation.  In  such  cases,  the  responsibility  for  year  2000  compliance  is  made  more  complex,  but 
remains  with  the  entity's  management.  Nonetheless,  the  danger  for  entities  in  this  situation  is  that  by  the  time 
they  become  aware  of  the  problem,  the  opportunity  to  achieve  year  2000  compliance  may  have  expired. 
Documentation  of  vendor-promised  solutions  and  the  provision  of  adequate  business  continuity  planning  take  on 
heightened  importance  in  these  situations. 

The  Information  Technology  Division  has  begun  an  initiative  to  form  a  statewide  legal  task  force. 
Preliminary  meetings  are  planned  for  November  1998  to  which  agency  heads  and  legal  counsels  from  each  state 
entity  are  being  invited.  However,  it  is  our  understanding  that  these  meetings  will  be  open  to  all.  The  purpose  of 
the  legal  task  force  will  be  to  provide  a  forum  for  legal  concerns  common  among  state  entities,  initiate  a  statewide 
legal  risk  assessment,  issue  legal  guidelines  for  state  entities,  consider  potential  legal  filings  regarding  year  2000. 
In  this  regard,  legal  filing  might  include,  but  not  be  limited  to,  addressing  liability  protection,  tort  claim  protection, 
good-samaritan  protection,  tax  deductibility  of  year  2000-related  losses,  and  fast-track  procurement  for  year  2000- 
related  resources. 
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We  encourage  the  ITD  to  continue  its  efforts  with  regard  to  the  formation  of  a  year  2000  legal  task  force.  We 
concur  with  the  intent  of  the  task  force  to  provide  legal  input  in  formulating  year  2000-related  strategies  and  to 
assist  in  addressing  legal  issues  related  to  year  2000. 

Entities  should  maintain  complete  documentation  of  efforts  to  assess  the  year  2000  impact,  including 
the  development  of  strategies  and  tactical  plans  for  addressing  the  issue  and  taking  remedial  action, 
verifying  test  results,  implementing  modifications  and  technology,  informing  parties  as  to  year  2000 
actions,  and  assessing  the  status  of  information  systems  and  technology.  We  also  recommend  that 
entities  maintain  careful  records  of  all  activities  involved  in  their  year  2000  project.  This  would 
include,  but  not  be  limited  to,  the  year  2000  planning  documents,  year  2000  steering  committee 
meeting  minutes,  documentation  of  decisions  regarding  mission  criticality  and  importance  of  affected 
systems  and  associated  triage  decisions,  resource  and  cost  estimates  and  methods  of  projecting  them, 
project  status  reports  with  time  lines  and  milestones,  year  2000  project  staff  organization,  staff 
qualifications,  and  training  provided  regarding  year  2000  remediation. 

We  recommend  that  agencies  contract  only  with  those  vendors  that  have  signed  the  year  2000  blanket 
contract  language  as  developed  by  the  Operational  Services  Division  (OSD).  Agencies  should  be 
aware  that  OSD  has  written  standard  year  2000  contract  clauses  for  contractual  agreements,  and 
entities  should  use  these  clauses  in  all  new  requests  for  response  (RFRs)  and  contracts. 

We  recommend  that  entities  perform  a  legal  risk  assessment  with  regard  to  year  2000  noncompliance 
and  take  steps  to  protect  themselves  against  the  occurrence  of  these  liabilities. 

Where  software  source  code  is  being  held  in  escrow,  entities  should  ensure  that  escrowed  copies  of 
software  have  been  remediated  to  ensure  year  2000  compliance. 

Statewide  Issues 

Oversight,  Organization,  Planning,  Controlling,  Monitoring,  and  Reporting 

As  part  of  our  survey,  we  reviewed  the  mission  and  functioning  of  the  Commonwealth's  oversight, 
organization,  planning  controlling,  monitoring,  and  reporting  of  year  2000-related  efforts.  The  primary  point  of 
control  in  this  regard  resides  within  the  Administration  and  Finance  Secretariat,  the  Information  Technology 
Division,  Strategic  Planning  Group,  and  Year  2000  Project  Management  Office  (PMO).  We  found  that  the  PMO 
had  been  and  is  now  doing  a  good  job  in  obtaining  an  overview  of  the  state's  year  2000  efforts,  in  heightening 
awareness  of  the  year  2000  issues,  in  providing  guidance  and  training  on  year  2000  project  issues,  and  in  assisting 
with  obtaining  required  resources.  However,  as  we  move  into  the  last  year  of  this  century,  we  believe  that 
oversight  controls  need  to  be  expanded,  and  some  need  to  be  tightened.  Our  review  and  assessment  indicated 
certain  control  areas,  including  reporting  lines  and  structures,  scope  of  mission,  system  compliance-tracking 
methods,  key  definitions,  reporting  frequency,  and  compliance  status  verification  methods  should  be  modified  and 
improved  as  we  proceed  through  the  final  year  before  the  millennium  date  change. 
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In  reviewing  year  2000  progress,  we  noted  that  not  all  Commonwealth  entities  reside  under  jurisdiction  of  the 
Executive  Office  of  Administration  and  Finance,  and  therefore,  not  all  entities  are  required  to  adhere  to  PMO 
policy  guidelines.  To  achieve  a  broader  spectrum  of  awareness  throughout  the  Commonwealth,  we  recommended 
in  our  February  3,  1998  report,  and  again  here,  that  the  Governor  issue  an  Executive  Order  related  to  year  2000 
compliance  responsibilities  and  reporting  requirements.  The  Executive  Order  should  include  additional 
requirements  for  centralized  reporting  for  all  state  entities  and  incorporate  instructions  similar  to  those  outlined  in 
Secretary  for  Administration  and  Finance  Charles  Baker's  September  29,  1997  letter  (see  Appendix  6,  page  79). 
The  letter  was  sent  to  all  executive  branch  secretaries  and  department  heads  regarding  year  2000.  We  would 
further  recommend  that  legislation,  signed  by  the  Governor,  expanding  the  PMO's  role  to  cover  all  state  entities 
would  be  the  best  device  to  establish  the  required  mandate.  To  coordinate  information  on  the  status  of  year  2000 
projects,  we  recommend  that  ITD  be  designated  as  the  central  entity  to  which  status  reporting  from  all  state 
agencies  and  authorities  should  be  submitted.  In  addition,  ITD  should  continue  to  establish  accreditation 
methodologies  and  standards  to  certify  the  completion  of  year  2000  projects. 

Our  observations  have  been  that  certain  oversight  agencies  have  not  taken  a  strong  enough  role  in  monitoring 
and  assisting  in  year  2000  efforts  for  entities  that  report  to  them.  We  recommend  that  oversight  agencies  take  a 
greater  role  in  ensuring  year  2000  compliance  efforts  for  entities  that  come  under  their  control  and  that  the  PMO 
also  require  year  2000  reporting  from  oversight  agencies. 

Our  survey  and  on-site  interviews  indicated  that  there  was  a  significant  number  of  mission-critical  and 
essential  systems  reported  to  us  by  entities  that  were  not  being  tracked  by  the  PMO  in  its  quarterly  reports.  It  may 
be  that  different  people  within  an  entity  are  reporting  on  these  systems  with  different  perspectives  at  different 
times.  To  help  ensure  that  the  Commonwealth  is  working  on  gaining  compliance  for  the  correct  mix  of  systems, 
we  recommend  that  the  agency  head  be  required  to  sign  off  on  the  list  of  mission-critical  and  essential  systems.  In 
addition,  we  recommend  that  the  PMO  establish  a  procedure  to  periodically  review  its  list  of  mission-critical  and 
essential  systems  to  ensure  its  accuracy  and  completeness. 

Our  interviews  determined  that  the  PMO's  reports  are  based  on  information  self-reported  by  entities.  We  are 
concerned,  therefore,  about  the  possibility  that  certain  information  contained  in  the  reports  may  be  affected  by  a 
certain  amount  of  wishful  thinking  on  the  part  of  entity  officials  and  that  when  held  up  to  closer  scrutiny  may 
prove  less  than  reliable  in  certain  instances.  To  better  improve  the  integrity  of  entity  year  2000-related  reporting, 
we  recommend  that  the  PMO  establish  a  method  to  verify  and  validate  entity-reported  information. 

During  our  survey,  we  reviewed  the  PMO's  definitions  of  mission-critical  and  essential  systems.  They  are  as 
follows: 

Mission-critical  systems  are  IT  or  embedded  systems  which  directly  impact  the  health,  safety, 
or  livelihood  of  citizens  of  the  Commonwealth;  directly  impact  the  ability  to  collect  revenues  of  the 
state;  and  the  loss  of  which  would  severely  jeopardize  the  agency's  delivery  of  services. 
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Essential  systems  are  IT  or  embedded  systems  the  loss  of  which  would  cause  disruption  of 
some  agency  services  without  disrupting  primary  services. 

To  provide  a  more  comprehensive  definition  in  determining  which  systems  are  mission  critical  to  the 
Commonwealth,  we  recommend  that  the  definition  of  mission-critical  systems  be  enhanced  to  include  "directly 
impact  the  state's  ability  to  meet  its  legal  and  contractual  obligations,  and  its  ability  to  make  required  payments." 

Up  to  the  time  of  the  PMO's  most  recent  report,  reporting  cycles  were  being  done  on  a  quarterly  basis. 
While  we  believe  that  this  frequency  was  adequate  at  that  juncture,  it  may  not  be  as  we  move  forward  into  the  last 
year  of  the  century.  To  help  ensure  that  the  Commonwealth  has  a  better  understanding  of  the  status  of  year  2000 
compliance,  contingency  planning  efforts,  and  associated  problem  areas,  we  recommend  that  reporting  intervals  be 
increased  to  a  monthly  basis  during  the  first  half  of  calendar  1999  and,  for  so-called  "problem"  agencies,  more 
frequently  during  the  second  half  of  1999.  Tangentially,  problem  resolution  procedures  will  need  to  be  enhanced 
to  meet  the  anticipated  increase  in  problems  in  attaining  year  2000  compliance  or  in  developing  viable  contingency 
plans. 

To  help  ensure  that  the  Commonwealth  is  covering  all  areas  affecting  the  health,  safety,  and  well-being 
of  its  citizens,  we  recommend  that  the  charter  and  funding  of  the  PMO  be  legislatively  expanded  to 
include  all  state  agencies,  cities,  towns,  and  public  schools  and  to  require  outreach  activities  to  private 
sector  entities  where  the  health  and  safety  of  citizens  is  involved,  such  as,  hospitals  and  nursing  homes. 
All  entities  covered  should  be  requested  to  prepare  and  submit  to  the  PMO  periodic  reports  on  the 
impact  and  possible  disruptions  of  year  2000. 

To  help  ensure  proper  lines  of  communication  and  authority,  we  recommend  that  the  PMO  report 
directly  to  the  Governor. 

Funding,  Hiring,  and  Purchasing 

To  help  ensure  that  required  resources  are  available  when  needed,  we  recommend  that  the  Legislature 
and  Governor  consider  a  plan  to  fast-track  appropriations  of  monies,  hiring  requests,  and  purchases 
requested  and  required  for  year  2000  remediation,  upgrades,  and  replacements. 

To  assist  financially  strapped  cities  and  towns  with  their  year  2000  efforts,  we  recommend  that  the 
Commonwealth  establish  an  emergency  low  (or  zero)  percent-interest-rate  loan  fund  for  year  2000 
remediation  for  mission-critical  and  essential  systems. 

To  help  ensure  that  skilled  staff  are  available  to  carry  out  year  2000  project  plans,  we  recommend  that 
the  so  called  "technical  pay  law"  be  reviewed  and  updated  to  make  the  Commonwealth  sufficiently 
competitive  in  attracting  and  maintaining  required  employees.  This  review  and  update  should  be 
carried  out  in  an  expeditious  manner. 
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Emergencv  Response  Planning 

To  assist  the  Commonwealth  in  its  overall  planning  for  disruptions  to  public  services  brought  on  by 
the  year  2000  computer  date  problem,  we  recommend  that  the  Commonwealth  establish  an  emergency 
response  plan  and  team  to  assist  in  dealing  with  problems  resulting  from  the  millenium  date  change. 
The  plan  should  be  developed  jointly  by  the  Massachusetts  Emergency  Management  Agency,  the  State 
Police,  the  Massachusetts  National  Guard,  city  and  town  police  and  Tire  departments,  and  other 
federal,  state,  local,  and  private  entities  as  deemed  appropriate. 

To  help  ensure  that  the  Commonwealth  takes  advantage  of  the  benefits  of  all  cooperative  efforts 
available,  we  recommend  that  the  MEMA  and  other  emergency  response  planning  entities  work 
closely  with  the  Federal  Emergency  Management  Agency  and  similar  organizations  in  nearby  states 
where  reciprocal  aid  agreements  can  be  arranged. 

To  help  ensure  that  adequate  emergency  supplies  are  on  hand  when  needed,  we  recommend  that  state 
entities  and  cities  and  towns  procure,  and  strategically  store  throughout  the  state  critical  and  essential 
supplies  and  provisions,  e.g.,  emergency  backup  generators  and  generator  fuel  (which  should  be 
gravity  fed),  emergency  signs,  and  other  materials  critical  to  the  health  and  safety  of  citizens  of  the 
Commonwealth. 

To  help  prepare  the  Commonwealth  for  the  effects  of  year  2000  impact  based  on  actual  experiences 
that  may  have  been  otherwise  unforeseen,  we  recommend  that  the  ITD's  PMO  and  emergency 
response  groups,  such  as  MEMA,  take  advantage  of  the  17  hour  lead-time  of  actual  experience  as  the 
millenium  date  change  circles  the  globe  by  establishing  an  early-warning  monitoring  function. 

To  help  uncover  potential  year-2000  related  problems,  we  recommend  that  full-scale  simulation  tests 
be  performed  for  local  and  statewide  emergency  response  teams. 

To  better  know  the  status  of  year  2000  compliance  of  public  utilities,  we  recommend  that  the 
Department  of  Telecommunications  and  Energy  request  that  all  public  utilities  within  the 
Commonwealth  report  to  DTE  monthly  on  their  Y2K  status. 

We  recommend  that  the  State  Treasurer  take  all  prudent  steps  required  to  protect  the  state's  private- 
sector  equity  investments,  given  the  expected  disruptions  in  the  publicly-traded  equity  markets,  which 
may  be  caused  by  the  year  2000  problem. 

Massachusetts  Electric  Power  Supply  and  Other  Utilities 

The  Office  of  the  State  Auditor  is  concerned  about  reports  that  the  electric  power  and  other  utilities  are  at 
risk  because  of  the  year  2000  computer  problem  and  the  negative  impact  that  loss  of  power  might  have  on  citizens 
of  the  Commonwealth  and  on  state  entities.  Our  concern  has  been  somewhat  attenuated  by  the  result  of  a 
statewide  survey  of  utility  companies  conducted  by  the  Department  of  Telecommunications  and  Energy  during 
June  through  August  1998,  and  a  recent  report,  issued  on  September  17,  1998,  by  the  North  American  Electric 
Reliability  Council  (NERC). 
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According  to  the  Massachusetts  Department  of  Telecommunications  and  Energy's  (DTE)  survey, 
conducted  during  June  through  August  1998: 

•  100  percent  of  the  major  utility  companies  responded  to  the  DTE'survey.  These 
major  companies  provide  services  to  over  90  percent  of  Massachusetts  customers 
(excluding  water). 

•  75  percent  of  the  respondents  began  their  year  2000  activities  during  or  prior  to 
1997. 

•  95  percent  of  major  companies  have  completed  their  inventory  and  assessment  of  IT 
systems. 

•  65  percent  of  major  companies  have  completed  their  inventory  and  assessment  of 
equipment  with  "embedded  technology." 

•  100  percent  of  the  companies  plan  to  complete  inventory  and  assessment  of  the 
equipment  with  embedded  technology  by  the  end  of  1998. 

•  100  percent  of  companies  plan  to  be  year  2000  compliant  by  mid- 1999. 

•  100  percent  of  companies  are  in  the  process  of  developing  contingency  plans. 

•  30  percent  of  municipally  run  utilities  responded  to  the  DTE's  survey.  These 
municipalities  provide  services  to  approximately  50  percent  of  the  remaining  10 
percent  of  Massachusetts  customers. 

While  the  DTE's  results  would  appear  to  be  comforting,  it  should  be  kept  in  mind  that  these  are  self- 
reported  figures  from  companies  where  adverse  publicity  about  year  2000  compliance  could  negatively  impact  the 
company's  image  and,  possibly,  its  stock  price.  Given  that  reality,  the  veracity  of  the  self-reported  information 
must  be  viewed  with  a  certain  amount  of  skepticism.  It  should  also  be  noted  that  the  scheduled  time  to  attain  full 
year  2000  compliance  is  very  tight  at  mid- 1999,  leaving  little  time  for  testing  and  independent  verification  and 
validation  activities. 

The  DTE's  survey  results  seem  to  be  consistent  with  a  recent  study  conducted  throughout  North  America. 
According  to  the  broader-based  NERC  report,  based  on  electric  companies  where  year-2000  work  is  well 
underway,  indications  are  that  "Y2K  may  have  less  impact  on  electrical  systems  than  first  thought.  Electrical 
systems  consist  mainly  of  wires  and  metal  devices.  Most  equipment  is  electromechanical,  meaning  there  is  less 
dependence  on  digital  controls.  .  .  .    Tests  have  indicated  there  are  very  few  date-interpretation  problems  that 
affect  the  ability  to  operate  electric  systems.  The  first  response  then  is  one  of  cautious  optimism,  as  it  appears  that 
the  impacts  of  Y2K  on  the  operation  of  electrical  systems  may  be  minimal."  The  report  concludes  that:  "at  this 
point,  the  perceived  risks  are  manageable.  .  .  .  The  conceivable  risks  appear  to  be  well  within  the  ability  of  the 
electrical  systems  to  provide  " 

That  is  the  good  news  in  the  NERC  report.  Of  concern,  however,  is  the  fact  that  the  electric  industry  is 
behind  in  contrast  to  where  many  other  entities  are  with  regard  to  their  year  2000  projects.  According  to  the 
report,  industry-wide  milestones  have  been  established  as  follows:  the  initial  assessment  is  to  be  completed  by 
October  31,  1998,  remediation  and  testing  by  May  31,  1999,  and  mission  critical  systems  Y2K  Ready  by  June  30, 
1999.  These  milestones  appear  to  be  very  tight  in  terms  of  what  needs  to  be  accomplished  should  any  substantial 
"traditional"  application  systems  need  to  be  remediated,  or  should  there  be  equipment  with  embedded  technology 


Massachusetts  Office  of  the  State  Auditor 


99-7055-4Y 


-40- 


that  needs  to  be  replaced.  Although,  according  to  the  report,  "many  [electric-generating]  organizations  are  on 
track  to  meet  or  exceed  the  target  dates  proposed  in  this  report,  .  .  .  there  are  some  organizations  who  (sic)  are 
late  getting  started,  who  have  not  shown  sufficient  progress,  and  who  are  projecting  completion  dates  later  than  the 
recommended  schedule."  Given  all  of  this,  we  remain  concerned  that  there  may  be  disruptions  in  the  power 
supply  within  the  Commonwealth. 

To  better  determine  the  status  of  year  2000  compliance  by  public  utilities,  we  recommend  that  the 
Department  of  Telecommunications  and  Energy  request  that  all  public  utilities  within  the 
Commonwealth  report  to  DTE  monthly  on  their  Y2K  status. 


Additional  Recommendations  Brought  Forward  from  Prior  Report 

While  we  are  pleased  that  certain  of  our  recommendations  brought  forward  in  our  prior  report  have  been 
implemented,  we  have  included  those  recommendations  not  yet  acted  upon  that  remain  valid  at  this  time. 

To  help  ensure  that  year  2000  efforts  are  properly  directed,  entities  should  prioritize  systems  based  on 
their  level  of  mission-criticality,  level  of  risk  of  malfunction,  potential  exposure  from  non-compliance, 
and  complexity  of  achieving  year  2000  compliance. 

We  recommend  that  entities  address  year  2000  compliance  in  cooperation  with  other  entities  by 
networking  and  taking  advantage  of  resources  inside  and  outside  of  state  government. 

We  recommend  that  year  2000  be  addressed  with  an  enterprise-wide  perspective  and  that  the 
responsibility  for  year  2000  compliance  be  assigned  to  a  senior  executive  or  a  level  of  management 
sufficiently  high  within  the  entity  to  ensure  that  the  project  can  be  accomplished  in  a  timely  manner. 

To  assist  in  developing  year  2000  project  plans,  entities  should  benchmark  against  those  remediation 
practices  that  have  led  to  successful  year  2000  projects,  incorporating  them  when  appropriate  within 
their  own  projects. 

To  guide  and  monitor  their  year  2000  projects,  we  strongly  recommend  that  entities  use  project 
management  techniques. 

To  ensure  that  an  entity's  year  2000  project  is  given  adequate  direction,  careful  consideration  must  be 
given  to  the  skills  required  to  manage  the  project  when  selecting  and  appointing  the  project-team 
leader.  Staff  currently  in  charge  of  operations  should  not  be  expected  to  lead  the  year  2000  project, 
while  also  carrying  out  day-to-day  duties. 
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When  making  year  2000  modifications,  especially  when  third-party  vendors  are  to  be  engaged, 
controls  must  be  established  and  exercised  to  protect  confidential  and  sensitive  data  from 
unauthorized  access. 

Remedial  action  should  be  triaged  so  that  the  most  business-critical  systems  attain  year  2000 
compliance  first.  To  the  extent  possible,  remedial  action  for  various  mission-critical  systems  should  be 
carried  out  in  tandem,  and  test  scripts  and  test  databases  should  be  built  as  the  remediation  process  is 
carried  out. 

When  windowing  is  to  be  used,  entities  need  to  ensure  that  year  2000  assignment  assumptions  used  are 
in  sync  with  other  systems,  be  they  internal  or  external  to  the  entity. 

Management  should  consider  focusing  compliance  efforts  on  mission-critical  systems;  evaluating  the 
consequences  of  noncompliance  for  less  critical  systems;  and  developing  appropriate  contingency 
plans  to  address  needed  services. 

Entities  supporting  complex  and/or  multiple  software  systems  should  assess  the  need  for  using 
software  configuration  management  techniques.  If  software  is  to  be  used  to  perform  or  manage  this 
function,  it  should  be  implemented  at  the  beginning  of  the  year  2000  project  (or  earlier),  and  staff 
should  be  trained  in  its  use  upon  its  implementation  or  as  soon  as  possible. 

ITD  should  integrate  year-2000  requirements  within  standards  and  guidelines  issued  by  the 
Commonwealth's  Committee  on  Information  Technology  Standards  and  Guidelines. 

To  ensure  that  entity  systems  can  operate  in  concert  with  third-party  provider  systems,  sufficient 
assurances  should  be  obtained  that  stated  plans  are  being  adhered  to  for  year  2000  compliance,  that 
date  field  formatting  is  synchronized  with  entity  systems,  or  that  conversion  programs  are  developed 
in  time.  Entities  should  obtain  sufficient  evidence  of  year  2000  compliance  and  business  continuity 
planning  validation  for  third-party  information  system  vendors  and  business  partners  to  meet  the 
critical  needs  of  the  entity. 

To  ensure  that  the  integrity  and  security  of  systems  and  data  are  maintained,  appropriate  internal 
controls  must  be  in  effect  throughout  all  phases  of  year  2000  projects.  Especially  important,  are 
controls  to  protect  systems  and  data  from  unauthorized  access  and  change  and  to  ensure  that 
modifications  are  reviewed,  tested,  and  approved  before  being  migrated  from  the  test  environment 
into  production.  Given  that  persons  from  outside  the  entity  may  be  required  to  have  access  to  systems 
and  data  files  during  assessment  and  reprogramming,  existing  security  methods  may  need  to  be 
strengthened  to  address  security  and  operational  control  objectives.  We  recommend  that  state 
entities  require  that  procurement  of  all  software,  hardware,  and  equipment  containing  embedded 
software  complies  with  the  requirements  of  year  2000. 
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Incorporated  within  the  fabric  of  each  entity's  internal  control  structure  should  be  control  objectives 
and  controls  to  ensure  system  and  data  integrity  is  maintained  with  respect  to  year  2000  compliance. 
Appropriate  procedures  should  be  implemented  to  ensure  that  program  change  controls  and  program 
version  controls  are  in  place  at  all  times  throughout  the  year  2000  project.  We  further  recommend 
that  entities  establish  control  procedures  to  ensure  that  future  development  and  software  maintenance 
attains  year  2000  compliance. 

To  ensure  that  parties  who  depend  on  the  entity's  systems  are  aware  of  year  2000  status,  the  entity 
should  establish  a  cost/effective  method  to  keep  all  relevant  parties  informed  of  year  2000  initiatives. 

We  recommend  that  the  State  Treasurer  take  all  prudent  steps  required  to  protect  the  state's  private 
sector  equity  investments,  given  the  expected  disruptions  in  the  publicly-traded  equity  markets  that 
may  be  caused  by  the  year  2000  problem. 

To  ensure  proper  implementation  of  remediated  software  and  systems,  we  recommend  that  the  year 
2000  testing  and  compliance  team  be  assigned  the  responsibility  of  validating  and  certifying  test 
results  so  as  to  provide  assurance  that  the  remediated  software  will  operate  as  intended  when 
reintroduced  to  the  production  environment,  and  to  ensure  that  such  software  will  function  properly 
with  all  internal  and  external  interfaces. 

To  expedite  the  implementation  of  remediated  software,  we  recommend  that  entities  define  their 
transition  environment  and  procedures,  develop  and  document  a  schedule  for  the  implementation  of 
all  converted  or  replaced  applications  and  system  components,  and  resolve  all  data  exchange  issues 
and  interagency  concerns. 

To  avoid  problems  when  compliant  systems  are  reintegrated,  we  recommend  that  date  field  formatting 
be  synchronized,  or  conversion  programs  established,  for  data  interchanges  with  third-party 
information  systems  vendors  and  business  partners. 

We  recommend  that  entities  expedite  database  and  archive  conversions,  as  appropriate. 

When  modified  software  is  reintroduced  to  the  production  environment,  we  further  recommend  that 
entities  develop  associated  contingency  plans  and  update  or  develop  disaster  recovery  and  business 
continuity  plans. 

Entities  should  identify  all  printed  stock  of  forms  that  are  pre-printed  with  "19"  in  the  year  fields  and 
plan  for  a  "safe"  shift  to  the  year  2000  format  by  allowing  current  stock  to  run  down  and  reorder 
modified  stock  in  time  to  change  to  the  2000  format. 

We  recommend  that  a  system  of  centralized  reporting  of  year  2000  project  deliverables  (e.g.,  correctly 
modified  system  code)  be  developed  and  implemented  statewide.  Compliance  status  and  validation  of 
corrective  action  should  be  established  and  reported  to  track  progress  of  individual  entities  and  the 
Commonwealth  at  large. 
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Appendix  1 
Survey  Responses 

The  OS  A  mailed  and  distributed  638  survey  questionnaires  to  state  agency  heads.    In  addition,  the 
survey  was  included  on  the  OSA's  web  page  and  recipients  were  asked  to  complete  the  survey  and  send  it  to  the 
OSA;  226  surveys  were  received  in  this  manner.    We  determined  that  of  the  total  638  surveys  in  the  population, 
274  were  represented  in  the  final  responses,  representing  43%  of  the  total  population  of  agencies. 

The  first  survey,  issued  on  April  1,  1997,  had  total  responses  of  434  agencies  (68%),  while  this  survey 
has  only  226  responses  (43%).   One  major  reason  for  the  difference  in  numbers  is  that  the  AOTC  had  requested 
a  centralized  response,  yet  was  unable  to  submit  a  survey.   Another  reason  is,  in  phase  1,  agencies  had  19 
weeks  to  respond  while,  in  phase  2,  they  had  nine  weeks  to  respond.    Since  it  has  been  over  one  year  between 
the  phase  1  and  2  surveys,  agencies  should  have  been  able  to  fill  out  the  second  survey  in  less  time. 

Regarding  completed  surveys,  we  noted  that  a  total  of  226  surveys  were  returned  to  the  OSA.  Because 
data  processing  for  certain  agencies  was  provided  by  a  centralized  function  at  a  higher  organizational  level, 
certain  completed  surveys  were  submitted  and  were  deemed  to  represent  multiple  responses.  We  found  that  an 
additional  48  agencies  were  represented  in  this  manner. 

In  summary,  since  this  is  a  follow-up  survey,  agencies  should  have  been  much  farther  along  in  the  Y2K 
remediation  process;  thus,  we  believe  that  the  slow  rate  of  response  and,  in  some  instances,  a  failure  to  respond 
can  be  viewed  as  supportive  of  our  overall  conclusion  that  the  Commonwealth  as  a  whole  has  not  progressed 
sufficiently  regarding  the  year  2000  problem  and  has  not  yet  effected  sufficient  programs  to  obviate  it. 

The  attached  survey  and  compiled  responses  are  a  summary  of  the  most  critical  questions. 
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AUDITOR  OF  THE  COMMONWEALTH 

ONE  ASHBURTON  PLACE,  ROOM  1819 
BOSTON,  MASSACHUSETTS  02108 

TEL  (617)  727-6200 

Year  2000  Survey.  Phase  II 

The  Office  of  the  State  Auditor  is  conducting  a  follow  up  survey  to  identify  the  extent  to  which  state 
entities  have  assessed  the  impact  of  year  2000  on  their  automated  systems  and  have  taken  steps  to  ensure 
that  mission-critical  and  essential  information  systems,  supporting  technology,  and  equipment  with 
embedded  chips  will  be  made  year  2000  compliant. 

Given  the  immediacy  of  the  year  2000  issue,  we  would  greatly  appreciate  it  if  the  survey  could  be 
completed  as  soon  as  possible  and  either  mailed  to  our  Office  at  the  above  address,  to  the  attention  of 
Robert  Buchanan,  or  e-mailed  to  (Robert. Buchanan@SAO. state. ma. us)  not  later  than  September  17, 
1998.  Unless  your  agency  has  already  completed  its  year  2000  initiative,  it  is  possible  that  answers  to 
some  of  the  questions  will  not  be  known. 

Note  that  this  survey  questionnaire  may  also  be  found  on  the  Internet  at: 
( www .  magnet .  state,  ma.  us/sao/survey2 .  doc) . 

If  you  have  any  questions  regarding  the  survey  questionnaire,  please  contact: 

Bob  Buchanan  (617)  727-6200,  ext.  173 

e-mail:  (robert . buchanan@sao . state . ma . us) 

Thomas  W.  Ericson        (617)  727-6200,  ext.  160  or  (617)  727-8638 
e-mail:  (thomas . er icson@ sao . state . ma . us) 

Thank  you  in  advance  for  your  timely  assistance. 

Agency/ Authority/Department/Division  Information 


Name  Phone  Number  E-mail 

Organization  

Department  Head  

Information  Systems  Officer  

Year  2000  Project  Coordinator  

Survey  completed  by  

Date  survey  completed   /  /  

Does  your  organization  have  access  to  the  Internet? 

No      □       Web  Address   


w 

A.  JOSEPH  DENUCCI 
AUDITOR 
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I.     Current  Status 

1.        Indicate  current  status  of  year  2000  project  (complete  all  that  apply,  use  N/A  for  non-applicable  items): 

Average 


Per- 

On Schedule 

(No  year  2000  project  □) 

#of 

Response 

centage 

(+/-  No.  of 

#of 

Responses 

Rate 

Complete 

Months) 

Respon 

• 

System  inventory  &  prioritization 

188 

83% 

78% 

-5  to  + 1 

139 

• 

Assessment  &  compliance  strategy: 

-   for  hardware,  software,  &  data 

187 

83% 

63% 

-4  to  + 1 

10 

-   for  application  system  interfaces 

109 

48% 

88% 

-6  to  -1- 1 

8 

-   for  equipment  with  embedded  tech. 

180 

80% 

46% 

-6  to  +  3 

7 

-   Assessment  of  required  funding 

and  other  resources 

105 

46% 

82% 

-3  to  +4 

10 

• 

Initial  plans  for  the  project  and  testing: 

-   regarding  mission-critical  systems 

96 

42% 

86% 

-3  to  +13 

7 

-   regarding  essential  systems 

104 

46% 

83% 

-4  to  +13 

10 

• 

Conversion  &  replacement  of: 

-   mission-critical  systems 

90 

40% 

66% 

-3  to  +13 

14 

-   essential  systems 

98 

43% 

63% 

-4  to  +13 

11 

• 

Testing  &  validation  activities 

-   for  mission-critical  systems 

84 

37% 

58% 

-3  to  +13 

7 

-   for  essential  systems 

92 

41% 

61% 

-4  to  +13 

12 

-   for  third-party  interfaces 

61 

27% 

59% 

-6  to  +13 

8 

• 

Remediated  mission-critical 

systems  back  into  production 

59 

26% 

57% 

-3  to  +6 

5 

• 

Remediated  essential  systems 

back  into  production 

61 

27% 

63% 

-3  to  +6 

9 

• 

Mission-critical  equipment  with  embedded 

technology  upgraded/replaced 

62 

27% 

68% 

-2  to  +13 

7 

• 

Essential  equipment  with  embedded 

technology  upgraded/replaced 

68 

30% 

66% 

-2  to  + 13 

6 

• 

Documented  contingency  & 

risk  mitigation  plans: 

-   for  mission-critical  systems 

55 

24% 

55% 

-6  to  +2 

7 

-   for  essential  systems 

61 

27% 

55% 

-6  to  +4 

7 

-   for  mission  critical  equipment  with 

-   embedded  technology 

44 

19% 

53% 

-6  to  +2 

6 

-   for  essential  equipment  with 

-   embedded  technology 

51 

22% 

56% 

-6  to  +2 

6 
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•Mission  critical  systems  -  IT  or  embedded  systems  which  directly  impact  the  health,  safety,  or  livelihood  of  citizens  of  the 
Commonwealth;  directly  impact  the  ability  to  make  required  payments  and  collect  revenues  of  the  state;  and  the  loss  of  which  would 
severely  jeopardize  the  agency's  delivery  of  services. 

"Essential  systems  -  IT  or  embedded  systems  the  loss  of  which  would  cause  disruption  of  some  agency  services  without  disrupting 
primary  services. 

2.         Indicate  the  compliance  status  of  your  agency's  inventory  items: 


Average 

Average 

Count 

Range  Percentage 

Percentage 

Total 

Count  Evaluated 

Compliant 

Mission-critical  application  systems 

415 

Oto  63 

93% 

69% 

Number  of  responses 

81 

76 

72 

essential  application  systems 

851 

1  to  250 

89% 

66% 

Number  of  responses 

88 

81 

74 

mission-critical  software  products* 

944 

0  to  288 

86% 

66% 

Number  of  responses 

69 

63 

60 

essential  application  software  products* 

927 

0  to  320 

88% 

69% 

Number  of  responses 

74 

72 

68 

mission-critical  computing  platforms** 

2799 

0  to  2500 

87% 

67% 

Number  of  responses 

70 

68 

65 

essential  application  computing  platforms** 

302 

1  to  65 

87% 

69% 

Number  of  responses 

58 

53 

52 

mission-critical  PCs 

14,286 

0  to  2536 

94% 

84% 

Number  of  responses 

77 

69 

68 

essential  PCs 

14,842 

Oto  1700 

86% 

80% 

Number  of  responses 

80 

71 

75 

mission-critical  equipment  with  embedded  technology 

*  8,564 

0  to  8000 

79% 

48% 

Number  of  responses 

46 

36 

33 

essential  equipment  with  embedded  technology* 

373 

Oto  100 

65% 

63% 

Number  of  responses 

48 

42 

34 

*  Count  multiple  instances  of  the  product  or  device  as  1 . 
"  Not  including  PCs. 

3.        Does  your  agency's  application  systems  inventory  identify  the  source  of  the  software,  the  language  used, 
its  age,  its  size,  and  other  characteristics  that  would  assist  in  year  2000  planning  and  budgeting? 
Yes      85       No      25       N/A     35       No  Response  81 
38%  11%  15%  36% 

5.        Have  critical  event  horizons  been  established  for  key  business  processes  or  activities? 
Yes    72     No    32      N/A    49      No  Response  73 
32%  14%  22%  32% 

9.        Have  you  evaluated  the  vulnerability  of  your  agency's  systems  and  applications  to  external  organizations 
(e.g.,  data  exchange  partners,  suppliers,  service  providers)  that  fail  to  modify  their  own  systems  for  the 
year  2000  problem? 

Yes   71      No    44    N/A     43       No  Response  68 
31%  19%  19%  30% 
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10.       Has  a  detailed  financial  plan,  budget,  and  process  for  updating  and  managing  the  year  2000  costs  been 
developed  and  put  in  place? 

Yes   65      No    55      N/A  38  No  Response  68 

29%  24%  17%  30% 


1 1 .      Provide  estimates  of  your  current  year  2000  costs: 

b)  Estimated  total  cost             c)  Unfunded  cost 

Responses  99  29 

Range  $250  to  $1 8,800,000  $  1 ,500  to  $1 ,205,000 

Totaling  $89,239,546  $6,585,266 

State  Agencies  $61,132,497  $6,361,766 

Authorities  $28,107,049  $223,500 


II.  Planning 

1 .        Has  your  agency  established  executive  and  board-level  responsibility  for  year  2000  readiness  and 
compliance? 

Yes      92       No      40       N/A     34       No  Response  60 

41%  18%  15%  27% 

If  Yes,  identify:  Name:   Title:   

Address:  Phone  No.:   

 E-mail:  


10.  Does  your  entity  have  a  written  year  2000  plan  containing  specific  timetables  and  milestones  that  has  been 
approved  by  senior  management? 

Yes     60       No      54       N/A     53       No  Response  58 
27%  24%  23%  26% 

11.  Have  you  set  priorities  as  to  when  systems,  systems  software,  supporting  technology,  and  equipment  with 
embedded  technology  need  to  be  remediated  in  order  to  avoid  an  adverse  impact  on  the  public? 

Yes      88       No      21       Partially  complete        45       No  Response  72 
39%  9%  20%  32% 

12.  Does  your  year  2000  plan  require  a  comprehensive  assessment  of  year  2000  compliance  for  your  plant, 
equipment,  and  other  infrastructure  components? 

Yes     66       No      33       N/A     65       No  Response  62 
29%  15%  29%  27% 

13.  Have  vendors  of  critical  and  essential  infrastructure  components  been  contacted  to  obtain  sufficient 
assurance  that  the  components  are  compliant  or  that  adequate  plans  are  in  place  to  ensure  that  they  will  be 
compliant  when  required? 

Yes     93       No      26       N/A     46       No  Response  61 
41%  12%  20%  27% 
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14.  Does  your  agency  lease  or  occupy  non-state-owned  premises  and,  if  so,  have  procedures  been 
implemented  to  ensure  the  premises  and  infrastructure  are  year  2000  compliant? 

Yes     33       No      53       N/A     78       No  Response  62 

15%  23%  35%  27% 

15.  Has  your  agency  obtained  sufficient  documented  assurance  that  the  leased  or  non-state-owned  premise's 
infrastructure  will  be  year  2000  compliant? 

Yes      24       No      59       No  Response  143      Being  addressed  by  another  entity  Identify:  _ 
11%  26%  63% 

16.  Does  your  agency's  year  2000  strategy  and  plan  identify  year  2000  compliance  requirements  of  mission- 
critical  and  essential  trading  partners  and  suppliers  of  products  and  services? 

Yes     62       No      21       N/A     76       No  Response  67 
27%  9%  34%  30% 

17.  Has  your  agency  ensured  that  the  assumptions  upon  which  all  workarounds  (e.g.,  windows  and  other 
filters)  are  based  are  understood  and  are  being  consistently  applied  by  your  trading  partners  and  other 
data-exchange  agencies? 

Yes     29       No      28       N/A     101      No  Response  68 
13%  12%  45%  30% 

21 .  Has  your  agency's  disaster  recovery  and  business  continuity  plans  been  updated  to  address  year  2000? 
Yes     25       No      51       N/A,  no  plans  80       No  Response  70 

11%  23%  35%  31% 

22.  Is  your  agency  documenting  your  year  2000  initiative  sufficiently  so  as  to  demonstrate  due  diligence? 
Yes      88       No       19       Not  sure  45      No  Response  74 

39%  8%  20%  33% 

III.  Modifying  Systems 

1 .        Is  your  agency  documenting  all  code  and  system  modifications  and  using  program  change  management 
techniques  to  ensure  that  only  authorized  changes  are  made? 
Yes      64       No       14       N/A     86       No  Response  63 
28%  6%  38%  28% 

IV.  Testing 

3 .        Has  your  agency  performed  unit,  system,  and  integration  tests  on  each  converted  or  replaced  component? 
Yes      53       No      52       N/A     47       No  Response  74 
23%  23%  21%  33% 
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Have  written  procedures  and  standards  been  established  to  test,  as  early  as  possible,  those  mission-critical 
and  essential  systems,  computer  controlled  devices,  products,  etc.,  which  are  considered  to  be  year  2000 
compliant? 

Yes      52       No      53       N/A     49       No  Response  72 
23%  23%  22%  32% 


Are  the  test  results  formally  documented? 
Yes      35        No       47       N/A  67 
15%  21%  30% 


No  Response 


77 
34% 


7.        Has  independent  verification  and  validation  for  year  2000  compliance  been  performed  on  your  agency's 
mission-critical  and  essential  systems? 

Yes      20       Some    58       No      46       N/A     12       No  Response  90 
9%  26%  20%  5%  40% 


8.        Is  your  agency  tracking  the  testing  and  validation  process,  and  collecting  and  using  project-related 
statistics  to  manage  the  process? 

Yes      41        No       53       N/A     57       No  Response  75 
18%  23%  25%  33% 


9.        Has  your  agency  completed  acceptance  testing? 

Yes      12       No      72       Partially  complete        55      No  Response  87 
5%  32%  24%  38% 


V.    Implementing  Remediated  Software  and  Technology 

2.        Has  your  agency  developed  and  documented  a  schedule  for  the  implementation  of  all  converted  or 
replaced  application  systems,  system  software,  and  components  supporting  technology? 
Yes      79       No      31       N/A     44       No  Response  72 
35%  14%  19%  32% 


3.        Has  your  agency  resolved  all  data  exchange  issues  and  interagency  concerns? 
Yes      36       No      69       N/A     49       No  Response  72 
16%  31%  22%  30% 


5.       .  Has  your  agency  dealt  with  reintegrating  (or  retrofitting)  remediated  application  systems  and  related  data 
with  other  modifications  being  made  to  those  systems? 
Yes      53       No      33       N/A     68       No  Response  72 
23%  15%  30%  32% 


6.        For  mission-critical  and  essential  systems  and  technology,  has  your  agency  developed  a  statement  of 

impact  indicating  the  degree  to  which  business  operations  would  be  negatively  impacted  should  the  year 
2000  problem  not  be  successfully  addressed? 
Yes      26       No      74       N/A     51       No  Response  75 
12%  33%  23%  33% 
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VI.  Other 


What  barriers  have  you  encountered  in  carrying  out  your  year  2000  project,  (e.g.,  inadequate  executive 
support,  competing  priorities,  lack  of  resources,  uncooperative  vendors  or  business  partners)  and  how 
have  you  addressed  them?        (provide  attachment  if  needed) 

Barrier:  99  responses.  The  following  is  a  partial  list  of  recurring  problems  identified: 

•    Difficulty  with  vendors  •    Lack  of  resources 


Competing  priorities 
Apathy  toward  Y2K  problem 
Funding 


Depend  upon  other  agencies  for  their 
resources. 


Solution:  :  81  responses. 


The  following  is  a  partial  list  of  solutions  recommended: 


One  standard  reporting  form  for  all 
agencies. 

Hire  more  contractors;  put  other 
projects  on  hold  and  reassign 
resources 


•  Awaiting  approval  from  HRD  to  hire  EDP 
analyst  to  act  as  its  administrator/Y2K 
coordinator 

•  Additional  staff  and  funds  for  contractor 
needed 


Has  (or  have)  the  barrier(s)  noted  above  been  formally  reported  to  senior  management  for  resolution? 
Yes      48       No       10       N/A     69       No  Response  99 
21%  4%  31%  44% 


When  was  the  last  time  your  agency  produced  a  status  report  on  the  year  2000  project  to  senior 
management? 


Date 

Number  of 

Date 

Number  of 

Date 

Completed 

Responses 

Completed 

Responses 

Completed 

9/1/88 

1 

7/1/98 

3 

9/11/98 

6/1/97 

1 

7/11/98 

9/14/98 

12/1/97 

1 

7/15/98 

9/15/98 

1/1/98 

2 

8/1/98 

9/16/98 

2/28/98 

1 

8/25/98 

9/17/98 

3/1/98 

1 

8/27/98 

9/18/98 

4/1/98 

1 

8/31/98 

9/24/98 

5/1/98 

2 

9/1/98 

28 

9/30/98 

5/12/98 

1 

9/3/98 

10/1/98 

6/1/98 

5 

9/9/98 

10/7/98 

6/30/98 

2 

9/10/98 

Number  of 
Responses 
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Appendix  2 
Survey  Population  and  Respondents 


The  following  is  a  listing  of  entities  to  which  year  2000  survey  questionnaires  were  distributed  through  our 
mailing  or  web  page.  The  list  indicates  the  date  that  our  office  received  a  response  to  the  survey.  We 
acknowledge  that  for  some  entities  for  which  no  response  date  is  provided,  the  entity  may  have  considered  that 
they  were  included  in  the  response  of  a  parent  entity.  In  some  instances,  an  administrative  office  or  division 
may  have  responded  for  a  department  reporting  to  them. 

Agencies 

Administration  &  Finance  Central  Business  Office 

10/5/98 

Division  of  Standards 

Bay  Cove  Mental  Health  Center 

9/30/98 

Division  of  Water  Resources 

Bridgewater  Treatment  Center 

9/18/98 

Division  of  Waterways 

9/16/98 

Brockton  Multi-Service  Center 

9/3/98 

DMR  Fernald  Center 

1  c\n  /QB 

Bureau  of  Special  Investigations 

9/30/98 

DMR  Hogan  Regional  Center 

iu/z/yo 

Bureau  of  State  Buildings 

9/16/98 

DMR  Irving  A.  Glavin  Regional  Center 

10/2/98 

Cambridge-Somerville  Mental  Health  Center 

9/30/98 

DMR  Central  Region 

in/-) /oe 
iu/z/yo 

Chelsea  Soldiers'  Home 

9/18/98 

DMR  Metro  Region 

in/T/Qfl 

Cooperation  for  Business  and  Learning 

DMR  Northeast  Region 

10/2/98 

Department  of  Corrections 

9/18/98 

DMR  Western  Region 

10/2/98 

Department  of  Economic  Development 

9/17/98 

DMR  Central  Region 

10/2/98 

Department  of  Education 

Dr.  John  C.  Corrigan  Mental  Health  Center 

9/30/98 

Department  of  Environmental  Management 

9/16/98 

Dr.  Solomon  Carter  Fuller  Mental  Health  Center 

9/30/98 

Department  of  Environmental  Protection 

9/17/98 

Environmental  Law  Enforcement 

Department  of  Fisheries,  Wildlife  and  Environmental 

10/28/98 

Erich  Lindemann  Mental  Health  Center 

yl  JU/yo 

Law  Enforcement 

Executive  Office  for  Administration  and  Finance 

10/9^/08 

1U/ ZJ/70 

Department  of  Food  and  Agriculture 

1 1/2/98 

Executive  Office  of  Elder  Affairs 

in/i  /qb 

Department  of  Housing  and  Community  Development 

9/16/98 

Executive  Office  of  Environmental  Affairs 

1  1  n  /QB 
1  Yl  LI  yo 

Department  of  Industrial  Accidents 

1 1/5/98 

Executive  Office  of  Health  and  Human  Services 

lu/zo/ys 

Department  of  Labor  And  Work  Force  Development 

Executive  Office  of  Public  Safety 

y/zy/yo 

Department  of  Marine  Fisheries 

10/98/08 

EOPS  Programs  Division 

n/  i  n  /no 
y/ 1  //yo 

Department  of  Mental  Health 

9/30/98 

Executive  Office  of  Transportation  and  Construction 

Department  of  Mental  Retardation 

10/2/98 

Fall  River  Line  Pier 

10/1/98 

Department  of  Public  Health 

9/25/98 

Fire  Fighting  Academy 

Department  of  Public  Safety 

9/21/98 

Fiscal  Affairs  Division 

in/fn  /no 

lu/iy/ys 

Department  of  Telecommunications  and  Energy 

1  a  /  i  c  /no 

iu/i5/yo 

Forest  and  Parks  Division 

n/i  a  /no 

y/io/ys 

Department  of  Revenue 

10/1/98 

George  Fingold  Library 

10/29/98 

Department  of  Social  Services 

10/8/98 

Group  Insurance  Commission 

9/30/98 

Department  of  Transitional  Assistance 

10/2/98 

Hampden  County  Detention  Center 

Department  of  Veterans'  Services 

Hazardous  Waste  Site  Safety  Council 

Department  of  Youth  Services 

9/17/98 

Higher  Education  Coordinating  Council 

Disability  Determination  Services 

Holyoke  Soldiers'  Home 

9/18/98 

Division  of  Banks 

9/16/98 

Human  Resources  Division 

9/18/98 

Division  of  Capital  Asset  Management 

9/17/98 

Information  Technology  Division 

9/21/98 

Division  of  Conservation  Services 

11/2/98 

Joint  Labor  Management  Committee 

Division  of  Employment  And  Training 

9/16/98 

Marquardt  Skilled  Nursing  Facility 

10/2/98 

Division  of  Energy  Resources 

Marine  Fisheries  Annisquam  River 

10/28/98 

Division  of  Health  Care  Finance  and  Policy 

9/17/98 

Massachusetts  Arts  Lottery  Council 

Division  of  Insurance 

9/21/98 

Massachusetts  Convention  Center 

9/16/98 

Division  of  Registration 

9/16/98 

Division  of  Law  Enforcement 

10/1/98 
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Massachusetts  Criminal  Justice  Training  Council 

10/9/98 

Massachusetts  Cultural  Council 

9/15/98 

Massachusetts  District  Attorneys'  Association 

10/16/98 

Massachusetts  Board  of  Higher  Education 

Massachusetts  Emergency  Management  Agency 

9/23/98 

Massachusetts  Highway  Department 

9/15/98 

Massachusetts  Housing  Finance  Agency 

9/21/98 

Massachusetts  Mental  Health  Center 

9/30/98 

Massachusetts  National  Guard 

10/1/98 

Massachusetts  Office  on  Disability 

9/30/98 

Massachusetts  Office  of  Dispute  Resolution 

10/28/98 

MCI  Massachusetts  Boot  Camp 

9/18/98 

MCI  Bay  State  Correctional  Center 

10/13/98 

MCI  Boston  Pre-Release  Center 

9/18/98 

MCI  Bridgewater  State  Hospital 

9/18/98 

MCI  Cedar  Junction 

9/18/98 

MCI  Concord 

9/18/98 

MCI  Framingham 

9/18/98 

MCI  Lancaster 

9/18/98 

MCI  Longwood  Treatment  Center 

9/18/98 

MCI  Norfolk 

9/18/98 

MCI  Northeast  Correction  Center 

9/18/98 

MCI  Old  Colony  Correction  Center 

9/18/98 

MCI  Park  Drive  Pre-Release 

9/18/98 

MCI  Plymouth 

9/29/98 

MCI  Pondville  Correction  Center 

9/18/98 

MCI  South  Middlesex  Correctional  Center 

9/18/98 

Authoriti 

Abington  Housing  Authority 

10/26/98 

Acton  Housing  Authority 

9/30/98 

Acushnet  Housing  Authority 

Adams  Housing  Authority 

Agawam  Housing  Authority 

10/7/98 

Amesbury  Housing  Authority 

Amherst  Housing  Authority 

10/1/98 

Andover  Housing  Authority 

Arlington  Housing  Authority 

9/30/98 

Ashland  Housing  Authority 

Athol  Housing  Authority 

Attleboro  Housing  Authority 

9/8/98 

Auburn  Housing  Authority 

10/9/98 

Avon  Housing  Authority 

Ayer  Housing  Authority 

Barnstable  Housing  Authority 

Barre  Housing  Authority 

Bedford  Housing  Authority 

9/14/98 

Belchertown  Housing  Authority 

Bellingham  Housing  Authority 

Belmont  Housing  Authority 

Berkshire  County  Regional  Housing  Authority 

Beverly  Housing  Authority 

9/29/98 

MCI  Southeastern  Correctional  Center 

9/18/98 

MCI-Shirley,  Shirley  Pre-Release  Center 

9/18/98 

Mental  Health  Legal  Advisors  Committee 

9/30/98 

Metro  Area  Planning  Council 

Monson  Developmental  Center 

9/3/98 

New  Chardon  Street  Home  for  Women 

North  Central  Correctional  Institute 

9/18/98 

Northern  Middlesex  Council  of  Governments 

Office  for  Child  Care  Services 

9/18/98 

Office  of  Campaign  and  Political  Finance 

9/16/98 

Office  of  Consumer  Affairs  and  Business  Regulations 

9/30/98 

Office  of  the  Chief  Medical  Examiner 

Office  of  the  Inspector  General 

10/1/98 

Office  of  the  State  Comptroller 

10/13/98 

Old  Colony  Planning  Council 

Operational  Services  Division 

10/26/98 

Paul  A.  Dever  State  School 

10/2/98 

Quincy  Mental  Health  Center 

9/30/98 

Registry  of  Motor  Vehicles 

9/17/98 

Sergeant  At  Arms 

Solid  Waste  Management 

9/17/98 

State  Board  of  Retirement 

Templeton  Development  Center 

10/2/98 

Water  Pollution  Control 

9/17/98 

Western  Massachusetts  Area  Office 

Wrentham  State  School 

10/2/98 

-  Housing 

Billerica  Housing  Authority 

Blackstone  Housing  Authority 

9/21/98 

Boston  Housing  Authority 

Bourne  Housing  Authority 

Braintree  Housing  Authority 

11/4/98 

Brewster  Housing  Authority 

Bridgewater  Housing  Authority 

9/29/98 

Brimfield  Housing  Authority 

9/15/98 

Brockton  Housing  Authority 

10/9/98 

Brookfield  Housing  Authority 

Brookline  Housing  Authority 

9/30/98 

Burlington  Housing  Authority 

10/23/98 

Cambridge  Housing  Authority 

9/30/98 

Canton  Housing  Authority 

Carver  Housing  Authority 

9/17/98 

Charlton  Housing  Authority 

Chatham  Housing  Authority 

9/2/98 

Chelmsford  Housing  Authority 

9/30/98 

Chelsea  Housing  Authority 

Chicopee  Housing  Authority 

8/27/98 

Clinton  Housing  Authority 

Cohasset  Housing  Authority 

Concord  Housing  Authority 
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Dalton  Housing  Authority 

Danvers  Housing  Authority 

9/8/98 

Dartmouth  Housing  Authority 

Dedham  Housing  Authority 

Dennis  Housing  Authority 

Dighton  Housing  Authority 

9/2/98 

Douglas  Housing  Authority 

Dracut  Housing  Authority 

Dudley  Housing  Authority 

Dukes  County  Regional  Housing  Authority 

Duxbury  Housing  Authority 

East  Bridgewater  Housing  Authority 

East  Longmeadow  Housing  Authority 

Easthampton  Housing  Authority 

9/2/98 

Easton  Housing  Authority 

Essex  Housing  Authority 

9/4/98 

Everett  Housing  Authority 

8/31/98 

Fairhaven  Housing  Authority 

9/30/98 

Fall  River  Housing  Authority 

Falmouth  Housing  Authority 

Fitchburg  Housing  Authority 

Foxboro  Housing  Authority 

Framingham  Housing  Authority 

Franklin  County  Regional  Housing  Authority 

Franklin  Housing  Authority 

Gardner  Housing  Authority 

9/14/98 

Georgetown  Housing  Authority 

Gloucester  Housing  Authority 

8/28/98 

Grafton  Housing  Authority 

Granby  Housing  Authority 

9/17/98 

Great  Barrington  Housing  Authority 

9/3/98 

Greenfield  Housing  Authority 

Groton  Housing  Authority 

Groveland  Housing  Authority 

Hadley  Housing  Authority 

Halifax  Housing  Authority 

Hamilton  Housing  Authority 

Hampden  Housing  Authority 

Hampshire  County  Regional  Housing  Authority 

Hanover  Housing  Authority 

Hanson  Housing  Authority 

10/2/98 

Harwich  Housing  Authority 

Hatfield  Housing  Authority 

Haverhill  Housing  Authority 

Hingham  Housing  Authority 

Holbrook  Housing  Authority 

Holden  Housing  Authority 

Holliston  Housing  Authority 
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Holyoke  Housing  Authority 

10/21/98 

Hopedale  Housing  Authority 

9/3/98 

Hopkinton  Housing  Authority 

Hudson  Housing  Authority 

Hull  Housing  Authority 

9/18/98 

Ipswich  Housing  Authority 

Kingston  Housing  Authority 

Lancaster  Housing  Authority 

Lawrence  Housing  Authority 

Lee  Housing  Authority 

Leicester  Housing  Authority 

Lenox  Housing  Authority 

Leominster  Housing  Authority 

Lexington  Housing  Authority 

10/6/98 

Littleton  Housing  Authority 

Longmeadow  Housing  Authority 

8/28/98 

Lowell  Housing  Authority 

9/18/98 

Ludlow  Housing  Authority 

9/21/98 

1  iinpnhnro  HniiQino  Anthnritv 

Lynn  Housing  Authority 

y/ju/yo 

Lynnfield  Housing  Authority 

in/1  /as 
1U/  i/yo 

Maiden  Housing  Authority 

Manchester  Housing  Authority 

iu/  zu/yo 

Mansfield  Housing  Authority 

Marblehead  Housing  Authority 

Marlboro  Housing  Authority 

Marshfield  Housing  Authority 

Mashpee  Housing  Authority 

Mattapoisett  Housing  Authority 

10/99/08 
1U/  zz/ yo 

Maynard  Housing  Authority 

inn  /qb 
iu/  i/yo 

Medfield  Housing  Authority 

9/30/98 

Medford  Housing  Authority 

Q/O^/QB 

y/zj/yo 

Medway  Housing  Authority 

Melrose  Housing  Authority 

Mendon  Housing  Authority 

Merrimac  Housing  Authority 

Methuen  Housing  Authority 

Middleboro  Housing  Authority 

Middleton  Housing  Authority 

O/T}  /GO 

y/zz/yo 

Millbury  Housing  Authority 

y/zj/yo 

Millis  Housing  Authority 

i  n/ 1  /qb 
iu/  i/yo 

Milton  Housing  Authority 

Milford  Housing  Authority 

Monson  Housing  Authority 

Montague  Housing  Authority 

y/y/ys 

Nahant  T-TniiQino  Anthnritv 
llallalll  nuUMllg  AUUKN  lly 

9/16/98 

Nantucket  Housing  Authority 

10/8/98 

Natick  Housing  Authority 

Needham  Housing  Authority 

New  Bedford  Housing  Authority 
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Newburyport  Housing  Authority 

10/7/98 

Newton  Housing  Authority 

Norfolk  Housing  Authority 

North  Adams  Housing  Authority 

North  Andover  Housing  Authority 

North  Attleboro  Housing  Authority 

North  Brookfield  Housing  Authority 

North  Reading  Housing  Authority 

Northampton  Housing  Authority 

10/29/98 

Northborough  Housing  Authority 

Northbridge  Housing  Authority 

9/16/98 

Norton  Housing  Authority 

Norwell  Housing  Authority 

Norwood  Housing  Authority 

Orange  Housing  Authority 

9/29/98 

Orleans  Housing  Authority 

8/31/98 

Oxford  Housing  Authority 

Palmer  Housing  Authority 

Peabody  Housing  Authority 

9/2/98 

Pembroke  Housing  Authority 

Pepperell  Housing  Authority 

10/1/98 

Pittsfield  Housing  Authority 

Plainville  Housing  Authority 

Plymouth  Housing  Authority 

10/23/98 

Provincetown  Housing  Authority 

Quincy  Housing  Authority 

Randolph  Housing  Authority 

Raynham  Housing  Authority 

9/2/98 

Reading  Housing  Authority 

Rehoboth  Housing  Authority 

Revere  Housing  Authority 

10/1/98 

Rockland  Housing  Authority 

Rockport  Housing  Authority 

9/11/98 

Rowley  Housing  Authority 

9/21/98 

Salem  Housing  Authority 

Salisbury  Housing  Authority 

9/18/98 

Sandwich  Housing  Authority 

9/30/98 

Saugus  Housing  Authority 

Scituate  Housing  Authority 

10/7/98 

Seekonk  Housing  Authority 

Sharon  Housing  Authority 

10/12/98 

Shrewsbury  Housing  Authority 

Somerset  Housing  Authority 

9/1/98 

Somerville  Housing  Authority 

9/18/98 

South  Hadley  Housing  Authority 

Southampton  Housing  Authority 

Southborough  Housing  Authority 

Southbridge  Housing  Authority 

Southwick  Housing  Authority 

9/29/98 

Spencer  Housing  Authority 

Springfield  Housing  Authority 

9/9/98 

Sterling  Housing  Authority 

Stockbridge  Housing  Authority 

Stoneham  Housing  Authority 

Stoughton  Housing  Authority 

Sturbridge  Housing  Authority 

Sudbury  Housing  Authority 

9/23/98 

Sutton  Housing  Authority 

9/23/98 

Swampscott  Housing  Authority 

Swansea  Housing  Authority 

Taunton  Housing  Authority 

9/30/98 

Templeton  Housing  Authority 

10/7/98 

Tewksbury  Housing  Authority 

9/23/98 

Topsfield  Housing  Authority 

Tyngsboro  Housing  Authority 

Upton  Housing  Authority 

Uxbridge  Housing  Authority 

8/27/98 

Wakefield  Housing  Authority 

9/23/98 

Walpole  Housing  Authority 

Waltham  Housing  Authority 

Ware  Housing  Authority 

Wareham  Housing  Authority 

Warren  Housing  Authority 

Watertown  Housing  Authority 

Wayland  Housing  Authority 

Webster  Housing  Authority 

Wellesley  Housing  Authority 

Wenham  Housing  Authority 

9/4/98 

West  Boylston  Housing  Authority 

West  Bridgewater  Housing  Authority 

West  Brookfield  Housing  Authority 

10/7/98 

West  Newbury  Housing  Authority 

West  Springfield  Housing  Authority 

9/3/98 

Westborough  Housing  Authority 

8/28/98 

Westfield  Housing  Authority 

9/1/98 

Westford  Housing  Authority 

9/21/98 

Westminster  Housing  Authority 

Westport  Housing  Authority 

Weymouth  Housing  Authority 

Whitman  Housing  Authority 

9/25/98 

Wilbraham  Housing  Authority 

Williamstown  Housing  Authority 

9/16/98 

Wilmington  Housing  Authority 

8/31/98 

Winchendon  Housing  Authority 

Winchester  Housing  Authority 

9/24/98 

Winthrop  Housing  Authority 

9/10/98 

Woburn  Housing  Authority 

Worcester  Housing  Authority 

Wrentham  Housing  Authority 

Yarmouth  Housing  Authority 

10/7/98 
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Authorities  -  Other 


Bourne  Recreation  Authority 

Massachusetts  Turnpike  Authority 

9/17/98 

Massachusetts  Bay  Transportation  Authority 

9/17/98 

Massachusetts  Water  Resources  Authority 

9/17/98 

Massachusetts  Development  Authority 

10/29/98 

Southeastern  Mass  University.  Building  Authority 

Massachusetts  Port  Authority 

9/16/98 

Steamship  Authority 

Massachusetts  State  College  Building  Authority 

Boards  and  Commissions 


Alcoholic  Beverage  Control  Commission 

9/21/98 

Annpllafp  Thy  RnnrH 
rvj^ptllalt  l  aA  uudiu 

10/5/98 

Architectural  Access  Board 

Art  Commission 

Ballot  Law  Commission 

Berkshire  Regional  Planning  Commission 

Board  of  Library  Commissioners 

Board  of  Registration  of  Medicine 

9/16/98 

Boxers  Fund  Board 

Cape  Cod  Planning  Economic  Commission 

Civil  Service  Commission 

10/2/98 

Central  Massachusetts  Planning  Commission 

Commission  for  the  Blind 

9/21/98 

Commission  for  The  Deaf  and  Hard  of  Hearing 

Commission  on  Judicial  Conduct 

Criminal  History  Systems  Board 

9/16/98 

Disabled  Persons  Protection  Commission 

9/9/98 

Energy  Facilities  Siting  Board 

Franklin  County  Planning  Commission 

Labor  Relations  Commission 

10/2/98 

Lottery  Commission 

9/16/98 

Massachusetts  Aeronautics  Commission 

9/16/98 

Massachusetts  Cable  Television  Commission 

Massachusetts  Commission  Against  Discrimination 

10/28/98 

Massachusetts  Historical  Commission 

Massachusetts  Rehabilitation  Commission 

10/5/98 

Merit  Rating  Board 

9/18/98 

Merrimac  Valley  Planning  Commission 

Metropolitan  District  Commission 

10/7/98 

Montachusett  Region  Planning  Commission 

New  England  Board  of  Education 

10/6/98 

Outdoor  Advertising  Board 

Parole  Board 

9/17/98 

Pioneer  Valley  Planning  Commission 

9/30/98 

Public  Access  Board 

Public  Employee  Retirement  Admin.  Commission 

9/14/98 

Records  Conservation  Board 

Southeast  Region  Planning  and  Economic  Commission 

9/17/98 

State  Ethics  Commission 

8/28/98 

State  Racing  Commission 

9/18/98 

Teachers'  Retirement  Board 

10/1/98 

Victim  Witness  Assistance  Board 

Colleges  and  Universities 


Berkshire  Community  College 

10/8/98 

Bridgewater  State  College 

9/17/98 

Bristol  Community  College 

9/17/98 

Bunker  Hill  Community  College 

9/17/98 

Cape  Cod  Community  College 

9/28/98 

Fitchburg  State  College 

Framingham  State  College 

9/16/98 

Greenfield  Community  College 

9/30/98 

Holyoke  Community  College 

9/17/98 

Massachusetts  Bay  Community  College 

Massachusetts  College  of  Art 

9/24/98 

Massachusetts  College  of  Liberal  Arts 

10/16/98 

Massachusetts  Maritime  Academy 

10/1/98 

Massasoit  Community  College 

9/16/98 

Middlesex  Community  College 

10/9/98 

Mount  Wachusett  Community  College 

9/16/98 

North  Adams  State  College 

North  Shore  Community  College 

10/16/98 

Northern  Essex  Community  College 

9/30/98 

Quinsigamond  Community  College 

9/17/98 

Roxbury  Community  College 

9/18/98 

Salem  State  College 

9/16/98 

Springfield  Technical  Community  College 

9/25/98 

University  of  Massachusetts 

University  of  Massachusetts  -  Amherst 

10/1/98 

University  of  Massachusetts  -  Boston 

10/7/98 

University  of  Massachusetts  Central  Administrative 
Services 

University  of  Massachusetts  -  Dartmouth 

10/13/98 

University  of  Massachusetts  -Lowell 

10/16/98 

University  of  Massachusetts  Medical  Center 

10/5/98 

Westfield  State  College 

9/30/98 

Worcester  State  College 

10/16/98 

Massachusetts  Office  of  the  State  Auditor 


99-7055-4Y 


-58- 


Constitutional  Officers 


Office  of  the  State  Auditor 


Office  of  the  Attorney  General 


10/15/98 


10/28/98 


Office  of  the  Secretary  of  State 


Office  of  the  State  Treasurer 


10/12/98 


10/21/ 


District  Attorneys 


Barnstable  District  Attorney 

Berkshire  District  Attorney 

Bristol  District  Attorney 

Cape  and  Islands  District  Attorney 

9/22/98 

Essex  County  District  Attorney 

Franklin  Hampshire  County  District  Attorney 

Hampden  District  Attorney 

Middlesex  District  Attorney 

Norfolk  County  District  Attorney 

Plymouth  District  Attorney 

Suffolk  County  District  Attorney 

Worcester  County  District  Attorney 

Governor 


Governor's  Council 

9/17/98 

Governor's  Office 

9/17/98 

Governor's  Highway  Safety  Bureau 

10/5/98 

Lieutenant  Governor's  Office 

9/17/98 

Hospitals 

Lemuel  Shattuck  Hospital 

Tewksbury  Hospital 

9/25/98 

Massachusetts  Hospital  School 

9/25/98 

Westborough  State  Hospital 

Medfield  State  Hospital 

10/2/98 

Western  Massachusetts  Hospital 

10/25/98 

Taunton  State  Hospital 

10/20/98 

Worcester  State  Hospital 

Judiciary 


Administrative  Law  Appeals 

9/17/98 

Administrative  Office  of  Housing  Court 

Administrative  Office  of  Juvenile  Courts 

Administrative  Office  Probate  and  Family  Court 

Administrative  Office  District  Courts 

Administrative  Office  of  the  Superior  Court 

Administrative  Office  of  the  Trial  Court 

Appeals  Court 

Attleboro  District  Court 

Ayer  District  Court 

Barnstable  County  Probate  and  Family  Court 

10/2/98 

Barnstable  District  Court 

Barnstable  Superior  Court 

Berkshire  County  Probate  and  Family  Court 

Berkshire  Superior  Court 

Boston  Housing  Court 

Boston  Juvenile  Court 

Boston  Municipal  Court 

Brighton  District  Court 

Bristol  County  Juvenile  Court 

Bristol  County  Probate  and  Family  Court 

Brockton  District  Court 

Brookline  District  Court 

Cambridge  District  Court 

Charlestown  District  Court 

Chelsea  District  Court 

Chicopee  District  Court 

Clinton  District  Court 

Concord  District  Court 

Court  Facilities  Bureau 

Dedham  District  Court 

Dorchester  District  Court 

Dudley  District  Court 

Dukes  County  Probate  and  Family  Court 

Dukes  County  Superior  Court 

East  Boston  District  Court 

9/9/98 

East  Brookfield  District  Court 

Edgartown  District  Court 

Essex  County  Probate  and  Family  Court 

9/23/98 

Essex  County  Superior  Court 

Fall  River  District  Court 

Fitchburg  District  Court 

Framingham  District  Court 

Franklin  County  Probate  and  Family  Court 

Franklin  Superior  Court 

Gardner  District  Court 
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Gloucester  District  Court 

Orleans  District  Court 

Greenfield  District  Court 

Palmer  District  Court 

Hampden  County  Housing  Court 

Peabody  District  Court 

Hampden  County  Probate  and  Family  Court 

Pittsfield  District  Court 

Hampden  Superior  Court 

Plymouth  County  Juvenile  Probate  Court 

Hampshire  County  Probate  and  Family  Court 

Plymouth  District  Court 

Hampshire  County  Superior  Court 

9/4/98 

Plymouth  Probate  and  Family  Court 

Haverhill  District  Court 

Plymouth  Superior  Court 

Hingham  District  Court 

Quincy  District  Court 

Holyoke  District  Court 

Roxbury  District  Court 

Ipswich  District  Court 

Salem  District  Court 

Land  Court 

9/15/98 

Somerville  District  Court 

Lawrence  District  Court 

South  Boston  District  Court 

Leominster  District  Court 

Southern  Berkshire  District  Court 

Lowell  District  Court 

Springfield  District  Court 

Lynn  District  Court 

Springfield  Div  Juvenile  Court 

Maiden  District  Court 

Stoughton  District  Court 

9/17/98 

Marlborough  District  Court 

Suffolk  County  Probate  and  Family  Court 

Middlesex  County  Probate  and  Family  Court 

Suffolk  Superior  Court 

Middlesex  Juvenile  Court 

Superior  Court  House  -  New  Bedford 

Middlesex  Superior  Court 

Supreme  Judicial  Court 

Milford  District  Court 

Taunton  District  Court 

Nantucket  District  Court 

Uxbridge  District  Court 

Nantucket  Probate  and  Family  Court 

Waltham  District  Court 

Nantucket  Superior  Court 

Ware  District  Court 

Natick  District  Court 

Wareham  District  Court 

New  Bedford  District  Court 

West  Roxbury  Trial  Court 

Newburyport  District  Court 

Westborough  District  Court 

Newton  District  Court 

Westfield  District  Court 

Norfolk  County  Probate  and  Family  Court 

Winchendon  District  Court 

Norfolk  County  Superior  Court 

Woburn  District  Court 

North  Essex  Juvenile  Probate  Court 

Worcester  County  Juvenile  Court 

Northampton  District  Court 

Worcester  County  Probate  and  Family  Court 

Northern  Berkshire  District  Court 

Worcester  District  Court 

Office  of  the  Commissioner  of  Probation 

Worcester  Housing  Court 

Office  of  the  Jury  Commissioner 

10/1/98 

Worcester  Superior  Court 

Orange  District  Court 

Wrentham  District  Court 

Legislative 

House  of  Representatives 

9/25/98 

Senate 

9/30/98 

Legislative  Post  Audit  Oversight  Bureau 

9/25/98 

Senate  Post  Audit  Committee 

9/30/98 

Other 


Children's  Trust  Fund 

10/8/98 

Community  Economic  Development  Assistance 
Corporation 

8/28/98 

Government  Land  Bank 

Greater  Lawrence  Sanitary  District 

Massachusetts  Community  Development  Finance 
Corporation 

Massachusetts  Technology  Development  Corporation 

Massachusetts  Technology  Park  Corporation 
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Regional  Development  Authorities 


Arlington  Regional  Development  Authority 

Attleboro  Regional  Development  Authority 

Beverly  Regional  Development  Authority 

Boston  Regional  Development  Authority 

Cambridge  Regional  Development  Authority 

9/17/98 

Fall  River  Regional  Development  Authority 

Fitchburg  Regional  Development  Authority 

9/2/98 

Gardner  Regional  Development  Authority 

9/2/98 

Milford  Regional  Development  Authority 

New  Bedford  Regional  Development  Authority 

9/30/98 

Newburyport  Regional  Development  Authority 

Newton  Community  Development  Authority 

Cifyo  /no 

Northampton  Regional  Development  Authority 

Plymouth  Regional  Development  Authority 

Salem  Regional  Development  Authority 

Stoughton  Regional  Development  Authority 

Taunton  Regional  Development  Authority 

Weymouth  Regional  Development  Authority 

Woburn  Regional  Development  Authority 

Worcester  Regional  Development  Authority 

Regional  Transit  Authorities 


Brockton  Regional  Transit  Authority 

9/19/98 

Lowell  Regional  Transit  Authority 

Cape  Ann  Regional  Transit  Authority 

Merrimac  Valley  Regional  Transit  Authority 

9/25/98 

Edgartown  Regional  Transit  Authority 

Montachusett  Regional  Transit  Authority 

Franklin  County  Regional  Transit  Authority 

10/5/98 

Pioneer  Valley  Regional  Transit  Authority 

9/18/98 

Greenfield  Montague  Regional  Transit  Authority 
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Appendix  3 
Documentation  Requested  from  Agencies 


Of  the  638  agencies  in  the  survey  the  following  14  were  sampled.  In  addition  to  the  survey  questions  the  OSA 
attempted  to  obtain  documentation  that  would  support  responses  obtained  in  the  survey.  As  can  be  seen  from  the  table 
below  not  all  documentation  was  obtained. 


Mass 

Resources 
Authority 

Mass 
Authority 

Mass 
Highway 
Dept. 

Mass 
Police 

Mass 
Emergency 
Management 

Dept.  of 
Transitional 
Assistance 

Dept.  of 
Health 

NO 

1 

Inventory  of  hardware, 
Software  and  equipment 
with  embedded  systems. 

Y 

Y 

N 

Y 
Y 

N 

N 

Y 

Y 

3 

2 

Operational  Y2K  Risk 
Assessment  for  software, 
hardware,  and  equipment 
with  embedded  technology 

Y 

Y 

Y 

N 

N 

N 

Y 

3 

3 

Legal  Risk  Assessment. 

Y 

N 

N 

N 

N 

N 

N 

6 

4 

Y2K  project  team  mission 
statement,  statement  of 
responsibilities,  project  team 
leader/coordinator  and  list  of 
team  members,  and 
organization  chart  (if 
applicable) 

Y 

Y 

Y 

N 

N 

Y 

Y 

2 

5 

Management  Y2K-related 
directives  and  mandates 

Y 

Y 

Y 

N 

N 

Y 

Y 

2 

6 

Y2K-related  policies  and 
procedures 

Y 

Y 

N 

N 

N 

N 

N 

5 

7 

Budget  and  cost  documents 
for  Y2K  project  and  related 
initiatives 

Y 

Y 

Y 

N 

N 

1  Y 

Y 

2 

8 

Y2K  Project  plan  and 
milestones 

Y 

Y 

Y 

Y 

N 

Y 

Y 

1 

9 

Testing  plan(s)  for  Y2K. 
compliance  -  Hardware, 
software/system, 
embedded  technology 

Y 

Y 

N 

N 

N 

Y 
Y 
N 

N 

5 

10 

Vendor  statements  of 
assurance  regarding  Y2K 
compliance.   Statements  may 
be  from  vendor  letters  or 
from  the  vendor's  web  site. 

Y 

Y 

N 

Y 

Y 

Y 

Y 

1 

11 

Risk  mitigation  and 
contingency  plans  -  (business 
continuity  plan) 

Y 

Y 

N 

N 

N 

N 

N 

5 

12 

PMO  Agency  Statement  of 
Year  2000  Status 

N 

Y 

Y 

Y 

Y 

Y 

Y 

1 

13 

Summary  of  test  results  from 
certification  reviews,  e.g., 
IV&V,  federal,  and  agency 
tests  or  other  audits 

Y 

Y 

N 

N 

N 

Y 

N 

4 

Y         =    Documentation  Obtained  N       =         Documentation  Not  Obtained 
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Dept.  of 

Div.  of 

ment  & 
Training 

Office  of 
the  State 
Comp- 
troller 

Dept. 

of 
Public 
Safety 

Dept  of 
Telecomm- 
unications 
&  Energy 

M 
g 

T 
A 

Bristol 

munity 
College 

Pg62 

of 
NO 

Pg61 

of 
NO 

Total 

of 

NOs 

1 

Inventory  of  hardware, 
Software  and  equipment 
with  embedded  systems. 

Y 

Y 

N 

Y 

•  Yv 

Y 

Y 

1 

3 

4 

2 

Operational  Y2K  Risk 
Assessment  for  software, 
hardware,  and  equipment 
with  embedded  technology 

Y 

Y 

N 

Y 

Y 

N 

Y 

2 

3 

5 

3 

Legal  Risk  Assessment. 

N 

Y 

N 

Y 

N 

N 

Y 

4 

6 

10 

4 

Y2K  project  team  mission 
statement,  statement  of 
responsibilities,  project  team 
leader/coordinator  and  list  of 
team  members,  and 
organization  chart  (if 
applicable) 

Y 

Y 

Y 

Y 

Y 

Y 

N 

1 

2 

3 

5 

Management  Y2K-related 
directives  and  mandates 

Y 

Y 

N 

Y 

Y 

Y 

N 

2 

2 

4 

6 

Y2K-related  policies  and 
procedures 

Y 

Y 

N 

Y 

Y 

N 

N 

3 

5 

8 

7 

Budget  and  cost  documents 
for  Y2K  project  and  related 
initiatives 

Y 

Y 

N 

Y 

Y 

Y 

N 

2 

2 

4 

8 

Y2K  Project  plan  and 
milestones 

Y 

Y 

N 

Y 

Y 

Y 

N 

2 

1 

3 

9 

Testing  plan(s)  for  Y2K 
compliance  -  Hardware, 
software/system,  embedded 
technology 

Y 

Y 

Y 

Y 

Y 

Y 

Y 

1 

5 

6 

10 

Vendor  statements  of 
assurance  regarding  Y2K 
compliance.    Statements  may 
be  from  vendor  letters  or 
from  the  vendor's  web  site. 

Y 

Y 

N 

Y 

Y 

N 

Y 

2 

1 

3 

11 

Risk  mitigation  and 
contingency  plans  -  (business 
continuity  plan) 

Y 

Y 

Y 

Y 

Y 

N 

N 

2 

5 

7 

12 

PMO  Agency  Statement  of 
Year  2000  Status 

Y 

Y 

N 

Y 

Y 

N 

N 

3 

1 

4 

13 

Summary  of  test  results  from 
certification  reviews,  e.g., 
IV&V,  federal,  and  agency 
tests  or  other  audits 

Y 

Y 

N 

Y 

N 

Y 

N 

3 

4 

7 
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On-site  Interviews 

The  following  are  some  additional  notes  obtained  through  on-site  interviews  conducted  with  fourteen  entities. 
The  information  provided  is  based  upon  observations,  reviews  of  documents,  and  statements  made  to  the  audit 
staff. 

1.  Massachusetts  Water  Resources 

From  our  interviews  at  MWRA  and  the  information  provided  to  us  in  a  written  MWRA  Year  2000 
Program  Plan,  we  believe  that  MWRA  personnel  are  well  aware  of  the  year  2000  problem.  The  Authority  has 
project  teams  reviewing  and  testing  different  areas  in  their  plant  for  potential  year  2000  problems.  For 
example,  a  high-risk  area  is  the  pumps  at  Deer  Island  that  a  project  team  is  testing  for  year  2000  readiness. 
December  31,  1998  is  the  target  date  for  examining  the  systems  and  July  1,  1999  is  the  deadline  for  all 
readiness. 

It  is  imperative  that  the  pumping  systems  be  operational  on  an  ongoing  basis,  or  at  least  not  down  for 
more  than  a  couple  hours  or  flooding  can  occur.  MWRA  is  faced  with  developing  contingency  plans  to 
ensure,  for  example,  that  electrical  power  is  available  by  means  of  a  backup  generator  that  requires  a 
significant  increase  in  fuel  storage  . 

2.  Massport  Authority 

From  our  interview  with  IS  management  and  staff  and  our  review  of  Massport  documentation,  we  have 
concluded  that  Massport  is  aware,  and  has  a  thorough  understanding  of  year  2000  issues,  including  embedded 
technology,  and  has  a  well-structured  approach  and  methodology  to  address  relevant  issues.  Massport  has 
established  a  year  2000  Program  Office  located  within  the  IS  and  Telecommunications  Department.  The  year 
2000  Program  Office  is  responsible  for  tracking  the  progress  of  the  overall  program,  including  specific  system 
compliance,  contingency  planning,  and  documentation  of  contingency  plans  in  a  business  continuity  plan. 

The  year  2000  program  team  is  composed  of  a  year  2000  Program  Manager,  Program  Office  staff,  Legal 
and  Risk  Management  Department  advisors,  and  designated  staff  from  other  Massport  departments. 
Consultants  are  hired  as  needed.  Year  2000  efforts  were  begun  in  1996,  and  an  effort  has  been  made  to 
involve  staff  throughout  the  authority.  The  Board  of  Directors,  executive  staff,  and  senior  management 
supports  year  2000  efforts. 

Massport  has  prioritized  the  operations  and  concomitant  systems  that  it  believes  are  mission-critical  or 
essential.  These  business  operations  and  processes  include  public  safety,  revenue,  and  customer  service. 
Massport  plans  to  issue  an  RFP  in  October  1998  regarding  independent  verification  and  validation  (IV  &  V) 
and  the  development  of  contingency  plans.  Although  Massport  has  identified  approximately  150  systems  (65 
mission-critical),  the  systems  are  under  constant  review.  Massport  has  also  undertaken  a  review  of  possible 
failures  of  its  suppliers,  distributors,  and  service  providers. 
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Massport  continually  documents  progress  toward  assessing,  retiring,  upgrading  or  replacing  systems. 
The  documentation  denotes  compliant  systems.  All  new  purchases  must  be  year  2000  compliant.  Vendors 
must  provide  written  documentation  regarding  assurances.  Massport  has  set  milestones  for  the  completion  of 
various  phases  of  its  year  2000  project.  According  to  Massport  officials,  all  assessments  of  systems  will  be 
completed  by  December  1998;  replacements  or  upgrades  will  be  completed  by  June  1999;  and,  the  IV&V  and 
contingency  plans  will  be  completed  by  September  1999. 

Massport  reported  65  mission-critical  systems;  the  PMO,  in  its  report  (dated  July  22,  1998),  listed  21 
mission-critical  and  three  essential  systems.  According  to  Massport,  the  PMO  reviewed  only  a  sample  of 
systems.  These  systems  were  not  necessarily  the  most  critical  systems.  However,  of  the  six  systems  that  the 
PMO  red-flagged  in  the  July  1998  report,  as  of  October  16,  1998,  four  are  in  compliance.  The  "Mobile 
Command  Post"  was  under  assessment.  Massport  officials  stated  that  the  system  would  probably  be  in 
compliance  by  November  15,  1998.  Of  the  other  non-IT  mission-critical  devices  with  embedded  chips, 
reported  by  the  PMO,  Massport  stated  that  defribulators,  fire  trucks,  and  signage  were  in  compliance.  Energy 
management  systems  and  fireboats  were  under  assessment.  However,  assessment  of  legal  risks  is  not  in 
writing. 

3.  Massachusetts  State  Police 

Based  on  the  results  of  our  review  of  the  Massachusetts  State  Police,  it  appears  that  additional  work  is 
required  to  complete  an  inventory  and  impact  assessment  of  equipment  with  embedded  technology. 
Administrators  at  the  State  Police  were  unable  to  provide  an  inventory  of  their  embedded  technology.  As  a 
result,  plans  had  not  been  formulated  to  remediate  or  replace  equipment  with  date-sensitive  embedded 
technology.  At  this  time,  one  cannot  determine  whether  the  State  Police  will  have  the  ability  to  fully  utilize 
all  equipment  with  embedded  technology,  such  as  communications  equipment  in  police  cars,  after  the  turn  of 
the  century.  In  addition,  we  have  concerns  about  the  AFIS  (automated  fingerprinting  information  system). 
This  system  is  not  compliant  and  is  in  the  process  of  being  replaced.  In  the  event  that  the  new  AFIS  system  is 
delayed  or  non-compliant,  there  is  no  backup  plan.  This  would  result  in  the  lack  of  a  fingerprint  identification 
system  for  the  state  police,  cities,  and  towns.  The  absence  of  automated  communications  and  the  AFIS  would 
greatly  hinder  efficient  and  effective  law  enforcement  activities. 

4.  Massachusetts  Highway  Department 

Although  the  MHD  is  behind  the  schedule  set  by  ITD's  PMO,  the  Department  appears  to  have  adequate 
control  over  their  year  2000  activities.  Using  the  risk  analysis  and  assessment  conducted  by  a  vendor, 
completed  in  May  1998,  and  the  hiring  of  a  full-time  consultant  to  manage  the  activities,  a  project  plan  has 
been  developed  and  the  project  is  underway.  The  MHD's  traffic-light  signals  comprise  their  mission-critical 
system.  Traffic-light  signals  pose  a  high  level  of  risk  to  the  public  safety  because  the  embedded  systems 
associated  with  the  traffic  signals  may  fail  to  work  properly  or  not  at  all  when  the  embedded  systems  encounter 
a  "00"  date.  These  systems  require  specific  expertise  to  ascertain  the  full  year  2000  impact  and  to  determine 
compliance,  remediation  options,  and  costs.  A  worse  scenario  would  occur  if  intersection  signals  displayed 
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green  lights  all  around.  Should  this  occur,  the  state's  legal  liability  due  to  resultant  auto  accidents  is 
potentially  very  great.  The  Department  has  established  task  teams  to  deal  with  this  priority  problem  and  has  a 
draft  plan  in  place  to  achieve  compliance  by  the  summer  of  1999.  The  Department  appears  to  be  adequately 
funded  to  support  the  remediation  or  replacement  of  these  systems.  Currently,  the  Department  is  completing 
the  first  stage  of  the  project,  which  is  the  complete  inventory  and  assessment  of  the  State's  traffic  signals.  The 
Commonwealth  is  responsible  for  about  2,000  or  20%  of  the  total  traffic  signals  in  the  state.  The  MHD  plans 
to  meet  with  the  sixteen  local  planning  boards  throughout  the  state  to  discuss  the  results  of  the  assessment  of 
their  inventory  and  possible  options.  The  MHD  staff  did  not  have  any  information  as  to  where  the  MDC,  or 
the  cities  and  towns  of  Massachusetts,  are  in  their  assessments  of  the  other  8,000  traffic  signals  in  the  state. 
This  unknown  information  could  result  in  major  problems  thoughout  the  state  if  not  addressed  immediately. 
Even  with  the  assistance  of  the  MHD  and  available  special  highway  funds,  it  may  be  too  late  for  some  cities  or 
towns  to  remediate  traffic-light  signals,  given  the  expertise  required  to  assess  this  potential  major  problem. 
Aside  from  traffic-light  signals,  other  embedded  systems  under  the  control  of  the  MHD  are  currently  being 
addressed.  Contracts  have  been  entered  into  to  bring  the  telephone  system  into  compliance,  and  all  pumps  are 
being  replaced  at  the  fuel  filling  stations  (these  pumps  will  all  be  able  to  be  operated  manually).  With  regard 
to  MHD's  essential  application  systems,  most  of  them  deal  with  data  that  records  and  reports  on  traffic-related 
statistics.  These  systems  will  be  updated  mainly  through  the  replacement  of  outdated  hardware  and  the 
conversion  and/or  transfer  of  data  from  outdated  to  year  2000-compliant  software.  The  replacement  process  is 
nearly  complete  and  testing  should  be  completed  and  verified  to  avoid  any  year  2000  problems. 

Current  year  2000  weaknesses: 

•  The  cost  of  MHD's  traffic  signal  assessment  is  unknown 

•  Time  frame  to  replace  traffic  signals  ( if  necessary  )  is  unknown 

•  Contingency  plans  for  traffic  signals  are  not  in  place 

•  Testing  has  not  been  started  on  the  IT  systems  transferred  to  new  systems 

•  Current  staff  members  are  being  drawn  away  from  year  2000  for  another  mandated  project. 

5.  Massachusetts  Emergency  Management  Agency 

Based  on  the  results  of  our  survey  at  the  Massachusetts  Emergency  Management  Agency,  the  following 
areas  are  of  concern.  MEMA  was  unable  to  provide  us  with  a  year  2000  remediation  plan  and  an  inventory  of 
their  hardware,  software,  and  embedded  technology.  As  a  result,  we  are  unable  to  determine  whether  MEMA 
will  have  the  ability  to  perform  required  functions  into  the  next  century. 

6.  Department  of  Transitional  Assistance 

The  Department  of  Transitional  Assistance  (DTA)  reported  that  10  mission-critical  systems  needed  to  be 
compliant  by  the  year  2000.  Below  are  the  weaknesses  and  strengths  of  the  agency  plan  for  year  2000 
compliance.  DTA  Business  managers  have  yet  to  develop  tangible  business-continuation  plans  in  the  event  of 
year  2000-caused  delays  or  failures. 

Because  of  DTA' s  overly  aggressive  time  line  of  completion  for  their  year  2000  remediation  and 
implementation,  the  agency  appears  to  be  focusing  exclusively  on  fixing  critical  computer  systems  and 
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choosing  not  to  involve,  or  in  this  case  even  appoint,  managers  responsible  for  DTA's  core  business  processes. 
Business  managers  should  establish  work  groups  of  program  staff  and  dedicate  sufficient  resources  to  develop 
business  continuity  plans  to  ensure  that  the  agency  can  maintain  the  delivery  of  essential  services  in  the  event 
of  year  2000-induced  failures  or  delays.  The  United  States'  General  Accounting  Office  (GAO)  recommends 
that  agencies  develop  contingency  plans,  including  the  development  of  manual  procedures,  to  ensure  the 
continuity  of  core  agency  operations. 

DTA  needs  to  provide  the  Information  Technology  Department's  (ITD)  Project  Management  Office 
(PMO)  with  accurate  information  about  the  status  of  their  year  2000  remediation  efforts.  Specifically,  the 
estimated  completion  dates  for  each  mission-critical  system  should  reflect  the  agency's  best  estimate  for  the 
actual  completion  dates.  DTA  has  put  all  systems  completion  dates  as  far  back  on  the  time  line  ,as  possible. 
This  does  not  give  a  real  and  actual  read  as  to  how  far  along  they  will  be  within  the  next  year.  Additionally, 
DTA  reported  to  PMO  that  they  had  contingency  plans  in  place  for  the  legacy  systems.    This  is  simply  not 
true.  What  is  in  place  is  a  contract  with  EDS  through  Sunguard  to  bring  their  client  server  systems  back  on- 
line with  their  tape  backups  in  case  of  emergency.  However,  there  is  no  formal  plan  for  procedures  regarding 
the  staff.  The  staff  at  DTA  has  no  plan  for  working  without  computers,  for  example  using  "workarounds,"  in 
order  to  service  the  needs  of  the  citizens  of  the  Commonwealth. 

DTA  may  have  established  an  unrealistic  or  overly-ambitious  year  2000  plan.  It  should  be  noted  that  the 
majority  of  mission-critical  systems  have  a  completion  date  of  April  1999.  This  is  an  extremely  tight  time 
line  to  accomplish  the  agency's  year  2000  goals.  Under  the  original  plan,  DTA  was  to  implement  Phase  II 
Beacon  to  make  their  agency  year  2000  compliant.  However,  by  January  of  1998,  management  concluded 
that  the  agency  was  not  going  to  meet  the  year  2000  deadline  and  decided  to  remediate  their  legacy  systems. 
Currently,  management  is  under  severe  time  constraints  to  resolve  the  situation.  Although  reported  progress 
offers  some  level  of  assurance  of  timely  year  2000  compliance,  the  large,  complex  nature  of  these  critical 
systems  and  the  remaining  work  required  to  correct  them  increases  the  likelihood  of  unforeseen  problems  and 
delays,  thus  increasing  the  potential  for  noncompliance.  Factors  that  might  lead  to  unforeseen  problems  and 
delays  include  personnel  shortages,  increased  costs  for  consulting,  and  data  interference  with  other 
organizations.  If  anything,  the  sheer  magnitude  of  DTA's  year  2000  project  presents  a  formidable  obstacle. 

No  formal  steps  have  been  taken  to  assess  the  impact  of  year  2000  on  operating  systems  and  systems 
software.  Also  management  has  not  assessed  the  risk  of  dependencies  on  suppliers,  finances,  and  utilities. 
Because  of  the  agency  has  not  performed  an  impact  assessment,  the  agency's  mission-critical  systems  is  at  a 
high  risk.  Clearly,  there  were  problems  with  bringing  the  Beacon  system  on-line,  and  some  of  those  may  have 
been  avoidable.  It  appears,  however,  that  management  has  learned  from  the  experience  with  the  Beacon  Phase 
1  and  has  acted  to  improve  their  practices  as  problems  are  identified. 
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7.  Department  of  Public  Health 

DPH  has  inventoried  their  embedded  software.  They  are  hiring  a  senior  year  2000  person  to  expedite  their 
progress  in  achieving  DPH's  compliance.  DPH  is  going  through  the  tax-exempt  lease  program  for  the 
purchase  of  embedded  software  in  order  for  their  systems  to  become  year  2000  compliant 
However,  our  survey  disclosed  that  DPH  does  not  have  a  formal  management  system  in  place,  does  not  have 
an  independent  verification  and  validation  plan,  and  has  unfunded  year  2000-related  costs. 

8.  Department  of  Revenue 

We  met  with  the  Department  of  Revenue  (DOR)  staff  on  October  7,  1998  to  ascertain  the  status  of  their 
year  2000  compliance  efforts.  Our  overall  conclusion  was  that,  although  the  DOR  will  not  meet  the  ITD 
PMO's  deadline  year  2000  compliance  regarding  certain  systems,  their  well-planned,  structured,  and 
documented  approach  will  permit  them  to  attain  year  2000  compliance  by  the  time  required.  DOR 
administrators  indicated  that  the  Department  had  ten  mission-critical  systems,  and  five  essential  systems. 
Much  of  the  work  of  code  remediation  is  being  performed  by  a  so  called  "code  remediation  factory"  in  India. 
The  DOR  has  had  a  good  experience  with  this  method  of  remediation  to  date.  A  demonstration  of 
independent  verification  and  validation  (IV&V)  of  one  system  remedied  in  this  manner  revealed  no  problems. 

DOR  officials  indicated  that  there  were  some  areas  of  concern  or  barriers  to  the  successful  outcome  of 
their  year  2000  project.  These  included  funding  issues,  especially  the  absence  of  funding  for  comprehensive 
IV&V  of  remediated  code  and  contingency  planning.  Another  concern  was  that  mandated  changes  to  the  tax 
laws  were  taking  scarce  knowledgeable  human  resources  (i.e.,  programmers  and  other  systems  staff)  away 
from  the  year  2000  project,  which  is  already  on  a  very  tight  schedule.  DOR  officials  indicated  that  the 
Department  was  just  getting  started  with  their  contingency  and  business  continuity  planning  effort  with  regard 
to  year  2000,  and  that  because  of  a  lack  of  funding,  they  did  not  have  a  plan  to  have  IV&V  done  on  their 
systems.  We  believe  that  IV&V  and  contingency  plans  are  essential  for  DOR  because  without  comprehensive 
testing,  including  IV&V,  the  DOR  cannot  be  assured  that  all  year  2000  problems  have  been  eliminated  from  its 
systems'  code  and,  without  adequate  contingency  planning,  the  Commonwealth  cannot  be  assured  that  its  tax 
revenue  will  be  able  to  be  collected  and  that  child  support  payments  can  be  made. 

9.  Division  of  Employment  and  Training 

Our  survey  of  the  Division  of  Employment  and  Training  disclosed  the  following: 

A  steering  committee  is  in  place  and  maintains  detailed  minutes  and  an  organization  chart. 
Management  is  currently  working  with  a  vendor  to  develop  the  independent  verification  and  validation 
(IV&V). 

The  Department  has  kept  its  employees  aware  of  the  situation  (i.e.,  the  DET  web  page),  and  has 
completed  a  thorough  assessment  of  software  products  used  by  the  division. 

DET  did  have  an  up-to-date  hardware  inventory  list  on  hand,  and  supplied  an  assessment  of  the  hardware 
products.  In  addition  there  is  a  high  degree  of  oversight  by  the  Department  of  Labor  federal  agency.  DET 
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uses  DOL  year  2000  completion  dates.  The  Department  has  prepared  supplemental  budget  request  dates 
including  assessments  as  of  10/97  and  has  detailed  status  reports  and  milestones. 

We  also  found  that  DET  has  initiated  a  detailed  testing  phase,  but  remediation  efforts  have  not  been 
completed  to  date,  and  that  embedded  software  has  been  assessed,  but  will  not  be  completely  ready  until 
January  1,  1999. 

As  of  today,  DET's  UI  Wage  Reporting  and  Benefit  system  is  not  year  2000  compliant. 

DET  is  working  on  development  of  a  contingency  plan,  the  agency  does  not  have  a  fully  developed  plan 
in  place  as  of  the  date  of  our  audit.  Vendors  are  currently  working  to  develop  contingency  plans  for  DET, 
since  the  Department  of  Labor  requires  one  by  November  20,  1998. 

10.  Office  of  the  State  Comptroller 

The  Office  of  the  State  Comptroller  is  the  bookkeeper  of  the  Commonwealth.  The  primary  application  of 
this  agency  is  (Massachusetts  Management  Accounting  and  Reporting  System)  MMARS.  MMARS  is 
expected  to  go  online  on  December  7  1998,  with  a  year  2000  compatible  version.  The  December  7,  1998  date 
is  the  fourth  such  scheduled  date  for  year  2000  compatibility.  Originally,  the  system  was  scheduled  to  be 
online  in  February  1998.  If  the  system  continues  to  have  scheduled  dates  that  slip,  the  Commonwealth  faces 
the  risk  that  it  will  not  have  a  bookkeeping  system  next  century. 

Documentation  was  received  from  the  Comptroller  after  October  20,  1998  and  was  not  included  in 
Appendix  3. 

11.  Department  of  Public  Safety 

The  Department  of  Public  Safety  (DPS)  should  not  have  a  year  2000  problem  in  regard  to  data  processing. 
All  vital  data  processing  is  now  functioning  on  40  year  2000  compliant  PC's  manufactured  by  Gateway  2000 
Inc.  The  Executive  Office  of  Public  Safety  (EOPS)  data  center,  which  is  installing  year  2000-compliant 
networks,  provides  all  network  services. 

The  primary  business  function  of  the  DPS  is  to  issue  licenses  and  certificates  of  inspection  to  individuals 
and  businesses  according  to  Massachusetts  General  Laws.  DPS  does  not  have  any  other  contracts  that  would 
constitute  a  legal  risk  in  the  event  of  a  problem.  DPS  has  two  MIS  workers  who  interact  with  the  EOPS  data 
center.  Their  evaluation  of  the  year  2000  problem  has  been  to  test  their  PC's  for  year  2000  compliance. 

12.  Department  of  Telecommunications  and  Energy 

The  OS  A  audit  team  performed  interviews  with  the  Department  of  Telecommunications  and  Energy's 
(DTE)  management  on  several  occasions,  pertaining  to  the  status  of  the  agency's  year  2000  compliance  efforts. 
We  determined  that  DTE  will  meet  the  ITD  PMO  year  2000  compliance  deadline  regarding  all  systems.  The 
adequately  planned,  structured,  and  documented  approach  will  allow  management  to  accomplish  year'  2000 
compliance  by  the  time  required.  DTE's  staff  and  team  member  indicated  that  they  had  one  mission-critical 
system  and  three  essential  systems.  DTE's  remediation  will  result  in  replacing  or  upgrading  of  all  IT 
equipment  and  software.  Also,  Charter  Systems,  Inc.  will  test  all  DTE's  systems  for  compliance. 
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DTE  anticipates  no  hindrance  to  timely  achievement  of  complete  year  2000  compliance,  both  at  their 
present  location  and  when  they  move  to  their  new  location  at  South  Station,  some  time  in  1999.  All  funding 
for  year  2000  has  been  approved  or  expected  to  be  approved  and  included  in  the  fiscal  years  1998,  1999,  and 
2000  budgets. 

13.  Bristol  Community  College 

It  is  our  opinion  that  Bristol  Community  College  needs  to  develop  a  written  year  2000  plan.  Although  the 
College  has  done  work  in  the  administrative  area,  the  academic  computing  area  has  not  been  reviewed.  College 
officials  have  done  testing  and  sought  compliance  letters  from  vendors.  The  officials  feel  confident  that  the 
College's  computers  are  year  2000  compliant. 

We  also  talked  to  College  Security  officials,  who  informed  us  that  they  have  visited  their  vendors  and 
were  given  a  copy  of  a  vendor  letter  stating  their  version  of  the  phone  and  voice  mail  system  on  Lucent  phones 
is  year  2000  compliant. 

14.  Massachusetts  Bay  Transportation  Authority 

MBTA  is  in  Phase  IB,  which  includes  remediation  and  testing  of  all  systems.  They  have  an  impact  report 
dated  6/30/98  that  covered  their  inventory  and  analysis  by  functional  areas  such  as;  administration,  finance, 
operations,  design  and  construction,  and  support.  In  addition  they  have  an  implementation  plan  which 
includes  audit  testing  and  compliance  testing. 

Their  year  2000  program  has  been  divided  into  four  phases: 

Phase  1  -  Impact  Analysis 
Phase  2  -  Implementation 
Phase  3  -  Testing 
Phase  4  -  Deployment 

They  are  currently  in  Phase  IB,  the  goal  of  which  is  to  identify  the  non-compliant  systems  and  devices 

and  determine  the  options  and  solutions  to  fix  them. 

MBTA  has  a  steering  committee  that  meets  bi-weekly  and  has  identified  the  levels  of  risk  being: 

Level  1  -  Safety  Sensitive 
Level  2  -  Mission  Critical 
Level  3  -  Business  Essential 
Level  4  -  Non-Critical 

They  are  currently  operating  a  new  IBM  system  390,  which  is  year  2000  compliant,  and  their  PC's  are 
being  replaced  as  needed. 

The  main  concern  with  the  MBTA  is  that  they  must  identify  and  replace  thousands  of  embedded  chips  in 
devices  that  control  the  operations  of  the  trains.  Although  the  MBTA  has  a  backup  plan  to  continue 
operations  using  staff  to  signal  trains,  this  method  is  less  efficient  than  when  embedded  chips  perform  this 
task  and  thus  train  service  is  likely  to  be  slower  if  the  backup  plan  is  implemented. 
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Appendix  4 
List  of  Recommendations 


The  following  is  a  list  of  the  recommendations  as  they  appear  in  the  Survey  Results  section  of  the  report. 
Included  are  the  section's  subheadings  to  assist  the  reader  in  cross-referencing  to  the  text. 


To  coordinate  information  on  the  status  of  year  2000  projects,  we  recommend  that 
through  legislative  initiative  and  coordination  from  the  Governor  that  the  PMO's 
authority  be  increased  and  that  all  entities,  including  the  Judiciary,  constitutional 
officers,  authorities,  and  entities  that  receive  state  funds,  be  required  to  report  on  the 
status  of  their  year  2000  efforts.  Such  entities  should  be  required  to  provide  statements 
of  progress  or  assurance  as  to  whether  mission-critical  and  essential  functions  and 
services  will  be  operational  when  impacted  by  year  2000-related  dates. 

In  addition,  ITD  should  establish  accreditation  methodologies  and  standards  to  certify 
the  completion  of  year  2000  projects. 

Awareness 


To  achieve  a  broader  spectrum  of  awareness  throughout  the  Commonwealth,  we 
recommend  that  the  Governor  issue  an  executive  order  related  to  year  2000  compliance 
responsibilities  and  reporting  requirements.  The  executive  order  should  include 
additional  requirements  for  centralized  reporting  for  all  state  entities,  and  incorporate 
instructions  similar  to  those  outlined  in  Secretary  for  Administration  and  Finance 
Charles  Baker's  September  29,  1997  letter  (see  Appendix  4,  page  79).  The  letter  was 
sent  to  all  executive  branch  secretaries  and  department  heads  regarding  year  2000. 

To  ensure  that  all  entities  become  sufficiently  aware  of  the  year  2000  problem  and  how 
to  address  it,  the  Commonwealth  should  continue  to  provide  year  2000  awareness 
seminars  across  the  state.  All  reasonable  efforts  should  be  made  to  contact  those 
entities  that  have  not  been  confirmed  as  having  developed  appropriate  strategies  to 
ensure  operational  viability  of  mission-critical  and  essential  operations. 

To  keep  informed  of  what  other  parties  are  doing  with  regard  to  the  year  2000  problem, 
entities  should  network  with  each  other,  consult  with  ITD's  Project  Management  Office, 
attend  Y2K  user  group  meetings,  and  use  Internet  websites  as  an  additional  source,  such 

as:  Http :  / /www . magnet .  state . ma . us/y 2k/  and  Http : //www . isaca . or g/y r2000 . htm 


Assessment 


At  the  completion  of  remediation  efforts,  we  recommend  that  entities  reconcile  their 
completed  inventories  of  software,  supporting  technology,  and  equipment  with 
embedded  technology  with  their  inventories  of  property  and  equipment. 

Entities  not  having  adequate  resources  to  complete  their  assessments  and  develop 
corrective  strategies  should  contact  ITD's  Year  2000  Program  Management  Office  for 
advice  and  assistance. 
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To  help  ensure  that  appropriate  controls  are  designed  and  implemented  over  the  IT 
environment,  entities  should  perform  a  risk  analysis  of  threats  and  exposures  on  current 
systems  and  IT  operations  considering  projected  risks  and  exposures  during  the  year 
2000  project. 

Based  on  the  results  of  the  assessment  phase,  we  recommend  that  entities  prepare  and 
make  available  a  statement  of  year  2000  impact  on  the  citizens,  other  entities,  and  other 
recipients  of  state  services  provided  by  the  entity's  information  technology.  The 
statement  of  impact  should  also  be  used  to  guide  the  development  of  contingency  plans. 

To  effectively  manage  subsequent  date-related  modifications  in  a  timely  manner,  a 
complete  inventory  of  workarounds  with  sufficient  information  should  be  maintained 
and  cross-referenced  to  the  entity's  IT  strategic  plan.  Entities  should  incorporate  in 
their  IT  strategic  plans  efforts  to  phase  out  workarounds  through  future  modification  or 
system  conversion  after  the  turn  of  the  century  as  appropriate. 


Planning 

To  help  ensure  that  entities  identify  and  plan  for  in  their  remediation  and  testing  efforts 
all  relevant  dates,  we  recommend  that  the  PMO's  Commonwealth  Y2K  Compliance 
Form  requiring  agencies  to  indicate  whether  they  plan  to  test  regarding  certain  dates, 
such  as  January  1,  2000,  be  expanded  to  require  additional  dates  and  to  obtain  a 
statement  that  the  entity  has  thoroughly  evaluated  critical  dates. 

To  help  ensure  operational  viability  of  mission-critical  and  essential  functions  and 
services,  entities  should  develop  and  maintain  a  master  Year  2000  Project  Plan  that 
addresses  application  systems,  supporting  technology,  embedded  technology,  and 
contingency  plans.  The  plan,  which  should  cover  the  entire  IT  environment,  should  be 
reviewed  and  approved  by  senior  management. 

Until  such  time  as  critical  millenium  dates  have  past  and  year  2000  compliance  is  fully 
attained,  information  technology-related  acquisition  and  development  initiatives  must 
address  year  2000  compliance. 

To  expedite  corrective  efforts,  year  2000  project  plans  should  identify  as  soon  as  possible 
the  priority  of  required  changes  and  resources,  such  as  additional  staff,  analytical 
software,  hardware,  and  third-party  assistance. 

Given  that  important  systems  need  to  achieve  year  2000  compliance,  we  recommend 
that  management  consider  setting  aside  less  essential  IT-related  projects  where 
resources  could  be  reallocated  to  year  2000  projects.  In  that  light,  we  recommend  that 
ITD  identify  ongoing  IT  projects  that  are  non-mission  critical  or  not  mandated  by  law  to 
which  associated  resources  could  be  reallocated  to  year  2000  projects.  If  required,  the 
Governor  should  consider  postponing  IT  projects  not  mandated  by  law  in  order  to  free 
resources  for  year  2000. 

We  recommend  that  each  entity  establish  appropriate  monitoring  controls  to  track, 
evaluate,  and  report  on  the  progress  of  year  2000  initiatives  and  the  status  of 
operational  viability  for  modified  systems  and  technology  to  address  year  2000 
processing  requirements. 

Entities  should  adopt,  at  a  minimum,  contract  and  warranty  language  developed  by  the 
Operational  Services  Division  (OSD)  of  the  Executive  Office  for  Administration  and 
Finance  and  include  additional  terms  and  conditions  as  deemed  appropriate.  We 
recommend  that  year  2000  contractors  be  bonded. 
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We  encourage  entities  to  attend  ITD's  Year  2000  User  Group  meetings. 


Responsibilities  and  Accountability 

To  ensure  that  adequate  attention  and  resources  are  applied  to  the  year  2000  problem, 
entities  should  establish  a  year  2000  project  team  comprised  of  members  who  are 
adequately  trained,  possess  sufficient  technical  knowledge,  and  have  strong 
communications  skills.  To  ensure  that  senior  management  is  kept  fully  aware  of  key 
year  2000  issues  and  problem  resolution,  the  year  2000  project  leader  should  have  direct 
access  to  senior  management. 

To  oversee  and  guide  the  entity's  entire  year  2000  project  effort,  year  2000  steering 
committees  should  be  established  at  the  entity  and  secretariat  levels.  At  the  entity  level, 
the  steering  committee  should  be  chaired  by  a  member  of  senior  management,  have 
representation  from  key  user  departments,  and  should  include  the  year  2000  project 
leader.  The  year  2000  project-team  leader  should  report  to  the  steering  committee  for 
review,  approval,  and  oversight  of  project  activities.  At  the  secretariat  level,  the 
steering  committee  should  also  be  chaired  by  a  member  of  senior  management  and  have 
adequate  representation  of  entities  within  the  secretariat. 


Year  2000  Funding 

Entities  should  continue  to  work  closely  with  ITD's  Y2K  Program  Management  Office 
and  with  the  Fiscal  Affairs  Division  to  establish  and  update  year  2000  funding 
requirements. 

Year  2000  project  teams  within  entities  should  work  closely  with  their  entity's  fiscal 
management  to  keep  them  informed  of  changes  in  cost  estimates  as  individual  projects 
progress. 


Contingency  Plans 

To  help  ensure  that  all  areas  of  risk  are  considered  in  the  entity's  risk  model,  risk 
management  should  be  categorized  into  three  areas  of  concern:  a.  avoidance  and 
mitigation,  b.  emergency  response,  and  c.  contingency  planning,  business  resumption 
and  recovery. 

To  ensure  that  appropriate  contingency  plans  are  in  effect,  entities  should  establish 
business  continuity  planning  (BCP)  task  forces  for  each  mission-critical  and  essential 
business  process.  Task  force  members  should  come  from  line  management  and 
operations  personnel,  and  should  not  contain  members  who  are  doing  program  code 
remediation. 

To  help  ensure  viable  operations  and  protect  services,  entities  should  establish 
contingency  plans  for  all  mission-critical  and  essential  systems,  but  with  special  attention 
to  those  for  which  there  is  either  a  likelihood  that  the  systems  will  not  attain  year  2000 
compliance,  or  for  systems  not  to  be  made  year  2000  compliant  in  time. 
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Continuity  planning  should  also  include  provisions  and  exigencies  regarding  the 
possibility  of  loss  of  public  utilities  (e.g.,  electricity,  gas,  transportation,  and  water  and 
sewer)  over  an  extended  period  of  time. 

To  help  ensure  delivery  and  the  entity's  "place  in  line,"  entities  should  negotiate  with 
vendors  ahead  of  time  for  support  services  and  supplies  for  the  period  following 
01/01/00.  Alternative  backup  data  processing  facilities  may  be  overrun  with  requests 
for  services,  and  fuel  delivery  services  for  backup  generators  may  be  overwhelmed  with 
requests  for  deliveries.  These  and  other  scenarios  need  to  be  carefully  planned  for 
ahead  of  time. 

We  recommend  that  entities  strengthen  backup  procedures  for  on-site  and  off-site 
storage  of  backup  media;  determine  whether  a  more  aggressive  backup  schedule  is 
warranted;  and  exercise  dual  control  over  off-site  backup  copies  for  all  mission-critical 
and  important  systems. 


System  Modification 

Legislative  initiatives  resulting  in  mandated  changes  to  automated  systems  should  take 
into  consideration  the  impact  on  critical  year  2000  projects  along  with  the  assessment  of 
other  usual  factors  such  as  cost/benefit,  technical  feasibility,  security,  and  business 
continuity  planning.  Management  initiatives,  as  well,  should  assess  the  impact  on  year 
2000  projects. 

To  ensure  consistency  in  making  year  2000  required  program-code  changes,  to  provide 
a  means  of  control,  and  to  provide  an  audit  trail  of  what  was  changed,  when,  and  by 
whom,  we  recommend  that  program-change-control  software  be  used  on  all  year  2000 
projects  that  are  deemed  to  be  of  sufficient  complexity  to  warrant  its  use. 

To  ensure  that  entities  can  recover  from  possible  errors  that  may  render  that  code 
unusable,  we  recommend  that  entities  maintain  full  backup  copies  of  files  and  systems 
prior  to  remedial  activities. 

We  recommend  that  state  entities  establish  control  procedures  to  ensure  that  future 
development  and  software  maintenance  is  year  2000  compliant. 

To  allow  access  and  processing  of  existing  and  archival  data,  we  recommend  that  entities 
plan  for  either  conversion  of  such  data,  or  the  provision  of  an  alternate  means  of 
processing  such  data. 


System  Access  Security 

We  recommend  that  management  review  access  security  policies  and  procedures  to 
determine  whether  current  controls  are  appropriate.  To  maintain  the  integrity  and  the 
required  level  of  security  over  production  libraries,  entities  should  have  adequate 
controls  in  place  to  protect  on-line  and  archival  data  files  from  unauthorized  access  and 
modification. 

To  promote  adequate  internal  controls,  we  recommend  that  managers  ensure  that 
individual  accountability  is  enforced  and  that  unauthorized  access  to  year  2000 
programs  and  data  is  specifically  prohibited. 
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Testing 


To  help  ensure  that  year  2000  compliance  testing  is  accomplished  in  the  most  efficient 
and  effective  manner  given  time  constraints,  entities  should  do  only  as  much  testing  as 
necessary  to  ensure  year  2000  compliance. 

To  reduce  the  amount  of  testing,  testing  should  be  limited  through  the  development  of 
test  requirements,  smart  test  script  procedures,  and  definitions  of  desired  test  outputs. 

Entities  with  large,  complex  systems  should  establish  a  specialized  testing  and 
compliance  team.  To  accomplish  this,  we  recommend  that  entities  use  the  best  available 
technical  knowledge  with  required  skill  sets  to  develop  test  tools  and  scripts.  Such 
entities  should  also  implement  a  year  2000-test  facility. 

To  ensure  the  adequacy  of  testing,  we  recommend  that  entities  develop  and  document 
test  and  validation  plans  for  each  converted  or  replaced  application  or  system 
component,  and  implement  automated  test  tools  and  scripts  as  appropriate  to  the 
automated  system  being  made  year-2000  compliant. 

To  help  ensure  uniformity  of  compliance  results,  entities  should  perform  unit, 
integration,  and  system  tests  on  each  converted  or  replaced  system  and  system 
component.  Testing  should  also  include,  but  not  be  limited  to,  data  aging,  date 
simulation,  regression,  performance,  stress,  forward  and  backward,  source-code 
auditing,  interoperability,  mainframe,  mini-,  and  microcomputers  (white  box),  and 
equipment  with  embedded  technology  (black  box),  as  appropriate. 

To  ensure  that  the  full  range  of  operational  requirements  are  considered  and 
remediated,  system  testing  should  include  the  operation  of  features  that  go  beyond  the 
application  code  itself,  such  as  those  for  restart  and  recover,  diagnostics,  automatic 
purge,  automatic  backup,  alarm  events,  etc. 

To  help  maintain  and  ensure  data  integrity,  entities  that  have  applications  systems  that 
receive  data  from  outside  sources  should  use  artificial-intelligence  audit  tools  to 
dynamically  screen  for  data  corruption  from  such  outside  sources.  Entities  should  also 
assess  the  degree  to  which  software  tools  can  be  used  to  prevent  and  detect  the 
importation  of  incompatible  date-formatted  or  corrupted  data. 

To  help  ensure  year  2000  compliance  for  mission-critical  and  essential  systems,  entities 
should  retest  with  newly  developed  automated  test  tools,  as  they  become  available. 

Independent  verification  and  validation  testing  should  be  performed  on  all  mission- 
critical  and  certain  essential  systems. 

Entities  should  develop  and  document  a  strategy  for  testing  contractor-converted  or 
replaced  applications  or  system  components. 

Entities  should  track  the  testing  and  validation  process  and  collect  and  use  project- 
related  statistics  to  manage  it. 
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Implementation  of  Remediated  Software 

To  help  maintain  and  ensure  data  integrity,  entities  that  have  applications  systems  that 
receive  data  from  outside  sources  should  use  artificial-intelligence  audit  tools  to 
dynamically  screen  for  data  corruption  from  such  outside  sources.  Entities  should 
assess  the  degree  to  which  software  tools  can  be  used  to  prevent  and  detect  the 
importation  of  incompatible  date-formatted  data. 


Reporting 

Entities  should  keep  their  client  base  informed  as  to  what  actions  have  been  taken  to 
ensure  year  2000  compliance  for  systems  (and  subsequent  status),  especially  when  those 
clients  are  dependent  upon  the  entity's  systems. 


Legal  Issues 

Entities  should  maintain  complete  documentation  of  efforts  to  assess  the  year  2000 
impact,  including  the  development  of  strategies  and  tactical  plans  for  addressing  the 
issue  and  taking  remedial  action,  verifying  test  results,  implementing  modifications  and 
technology,  informing  parties  as  to  year  2000  actions,  and  assessing  the  status  of 
information  systems  and  technology.  We  also  recommend  that  entities  maintain  careful 
records  of  all  activities  involved  in  their  year  2000  project.  This  would  include,  but  not 
be  limited  to,  the  year  2000  planning  documents,  year  2000  steering  committee  meeting 
minutes,  documentation  of  decisions  regarding  mission  criticality  and  importance  of 
affected  systems  and  associated  triage  decisions,  resource  and  cost  estimates  and 
methods  of  projecting  them,  project  status  reports  with  time  lines  and  milestones,  year 
2000  project  staff  organization,  staff  qualifications,  and  training  provided  regarding 
year  2000  remediation. 

We  recommend  that  agencies  contract  only  with  those  vendors  that  have  signed  the  year 
2000  blanket  contract  language  as  developed  by  the  Operational  Services  Division 
(OSD).  Agencies  should  be  aware  that  OSD  has  written  standard  year  2000  contract 
clauses  for  contractual  agreements,  and  entities  should  use  these  clauses  in  all  new 
requests  for  response  (RFRs)  and  contracts. 

We  recommend  that  entities  perform  a  legal  risk  assessment  with  regard  to  year  2000 
noncompliance  and  take  steps  to  protect  themselves  against  the  occurrence  of  these 
liabilities. 

Where  software  source  code  is  being  held  in  escrow,  entities  should  ensure  that 
escrowed  copies  of  software  have  been  remediated  to  ensure  year  2000  compliance. 


Statewide  Issues 

Oversight,  Organization,  Planning.  Controlling,  Monitoring,  and  Reporting 

To  help  ensure  that  the  Commonwealth  is  covering  all  areas  affecting  the  health,  safety 
and  well-being  of  its  citizens,  we  recommend  that  the  charter  and  funding  of  the  PMO  be 
legislatively  expanded  to  include  all  state  agencies,  cities,  towns,  and  public  schools  and 
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to  require  outreach  activities  to  private  sector  entities  where  the  health  and  safety  of 
citizens  is  involved,  such  as  to  hospitals  and  nursing  homes.  All  entities  covered  should 
be  requested  to  prepare  and  submit  to  the  PMO  periodic  reports  on  the  impact  and 
possible  disruptions  of  year  2000. 

To  help  ensure  proper  lines  of  communication  and  authority,  we  recommend  that  the 
PMO  report  directly  to  the  Governor. 

Funding.  Hiring,  and  Purchasing 

To  help  ensure  that  required  resources  are  available  when  needed,  we  recommend  that 
the  Legislature  and  Governor  consider  a  plan  to  fast-track  appropriations  of  monies, 
hiring  requests,  and  purchases  requested  and  required  for  year  2000  remediation, 
upgrades,  and  replacements. 

To  assist  financially  strapped  cities  and  towns  with  their  year  2000  efforts,  we 
recommend  that  the  Commonwealth  establish  an  emergency  low  (or  zero)  percent- 
interest-rate  loan  fund  for  year  2000  remediation  for  mission-critical  and  essential 
systems. 

To  help  ensure  that  skilled  staff  are  available  to  carry  out  year  2000  project  plans,  we 
recommend  that  the  so  called  "technical  pay  law"  be  reviewed  and  updated  to  make  the 
Commonwealth  sufficiently  competitive  in  attracting  and  maintaining  required 
employees.  This  review  and  update  should  be  carried  out  in  an  expeditious  manner. 

Emergency  Response  Planning 

To  assist  the  Commonwealth  in  its  overall  planning  for  disruptions  to  public  services 
brought  on  by  the  year  2000  computer  date  problem,  we  recommend  that  the 
Commonwealth  establish  an  emergency  response  plan  and  team  to  assist  in  dealing  with 
problems  resulting  from  the  millenium  date  change.  The  plan  should  be  developed 
jointly  by  the  Massachusetts  Emergency  Management  Agency,  the  State  Police,  the 
Massachusetts  National  Guard,  city  and  town  police  and  fire  departments,  and  other 
federal,  state,  local,  and  private  entities  as  deemed  appropriate. 

To  help  ensure  that  the  Commonwealth  takes  advantage  of  the  benefits  of  all 
cooperative  efforts  available,  we  recommend  that  the  MEMA  and  other  emergency 
response  planning  entities  work  closely  with  the  Federal  Emergency  Management 
Agency  and  similar  organizations  in  nearby  states  where  reciprocal  aid  agreements  can 
be  arranged. 

To  help  ensure  that  adequate  emergency  supplies  are  on  hand  when  needed,  we 
recommend  that  state  entities  and  cities  and  towns  procure,  and  strategically  store 
throughout  the  state,  critical  and  essential  supplies  and  provisions,  e.g.,  emergency 
backup  generators  and  generator  fuel  (which  should  be  gravity  fed),  emergency  signs, 
and  other  materials  critical  to  the  health  and  safety  of  citizens  of  the  Commonwealth. 

To  help  prepare  the  Commonwealth  for  the  effects  of  year  2000  impact  based  on  actual 
experiences  that  may  have  been  otherwise  unforeseen,  we  recommend  that  the  ITD's 
PMO  and  emergency  response  groups,  such  as  MEMA,  take  advantage  of  the  17  hour 
lead-time  of  actual  experience  as  the  millenium  date  change  circles  the  globe  by 
establishing  an  early-warning  monitoring  function. 

To  help  uncover  potential  year-2000  related  problems,  we  recommend  that  full-scale 
simulation  tests  be  performed  for  local  and  statewide  emergency  response  teams. 

To  better  know  the  status  of  year  2000  compliance  of  public  utilities,  we  recommend  that 
the  Department  of  Telecommunications  and  Energy  request  that  all  public  utilities 
within  the  Commonwealth  report  to  DTE  monthly  on  their  Y2K  status. 
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To  better  determine  the  status  of  year  2000  compliance  by  public  utilities,  we 
recommend  that  the  Department  of  Telecommunications  and  Energy  request,  which  all 
public  utilities  within  the  Commonwealth  report  to  DTE  monthly  on  their  Y2K  status. 

We  recommend  that  the  State  Treasurer  take  all  prudent  steps  required  to  protect  the 
state's  private-sector  equity  investments,  given  the  expected  disruptions  in  the  publicly- 
traded  equity  markets  that  may  be  caused  by  the  year  2000  problem. 
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Appendix  5 

Example  of  Placing  Year  2000  Impact  in  Perspective 

Disaster  Recovery  Planning 

Of  the  fourteen  agencies  interviewed,  seven  or  50%  of  the  fourteen  did  not  have  a  disaster  recovery 
plan  for  contingencies  relating  to  year  2000. 

During  the  blizzard  of  1978,  the  state  was  shut  down  for  a  week.  Most  people  have  fond  memories  of 
that  week  because  they  were  at  home,  warm  and  fed.  However,  for  some  people  the  blizzard  of  1978  was  a 
nightmare,  because  they  lost  family  or  property. 

Elements  that  inhibits  many  from  remembering  the  blizzard  of  1978  as  a  nightmare  was  the  fact  that, 
for  most  citizens  of  the  Commonwealth,  there  was  electricity  for  lighting,  heating  and  cooking,  and  phone 
service  for  letting  loved  ones  and  colleagues  know  that  we  were  alright  or  for  calling  for  emergency  services 
when  we  were  not. 

Based  upon  interviews  with  the  fourteen  entities  a  reoccurring  theme  was  that  all  state  entities  within 
the  Commonwealth  are  dependent  upon  electric  and  phone  service  in  order  to  function.  Some  can  continue  to 
provide  service  for  a  limited  period  of  time  by  using  generators  and  radios,  but  when  the  fuel  for  the  generators 
runs  out  and  the  batteries  in  the  radios  die,  then  the  services  that  these  agencies  provide  will  stop. 

Those  agencies  that  do  not  have  disaster  or  continuity  plans  implemented  and  have  not  already 
purchased  generators  or  radios  will  stop  functioning  the  moment  electric  and  phone  service  stops. 

The  91 1  system,  for  example,  makes  use  of  phones  to  receive  emergency  calls  from  the  public,  makes 
use  of  electricity  to  power  the  command  desk,  makes  use  of  radios  and  phones  to  dispatch  emergency 
personnel  to  the  affected  areas.  However,  if  there  were  no  phones  the  system  would  not  work,  or  if  there  were 
no  electricity  the  system  would  work  only  for  a  limited  period  of  time. 

The  MBTA  and  MWRA  both  have  generators  that  run  on  jet  fuel  and  it  is  possible  to  get  the  tanks 
refilled.  However  they  are  concerned  because  these  generators  are  a  temporary  stop  gap  measure  to  provide 
temporary  service  and  were  not  designed  to  supplant  the  normal  electric  service  on  which  we  are  all 
dependent. 
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Appendix  6 
Secretary  Charles  Baker  Letter 


Commonwealth  of  Massachusetts 
Executive  Office  for 
Administration  &  Finance 

State  House  -  Room  373 
Boston,  MA  02133 


ARGEO  PAUL  CELUCCI  TEL:  (6 1 7)  727-2040 

governor  FAX:  (617)  727-2779 
Charles  Baker 

SECRETARY 


To:  All  Secretaries  and  Department  Heads 

From:  Charles  D.  Baker,  Secretary,  EOAF 

Subject:  Year  2000  Compliance 

Date:  September  29,  1997 


We  face  a  unique  challenge  in  the  history  of  Commonwealth  operations  -  a  turn  of  the  century,  coupled  with  heavy 
reliance  on  automated  operational  systems. 

Therefore,  effective  immediately,  it  is  ordered  that: 

1 .  Uninterrupted  turn-of-century  service  delivery  is  each  agency's  top  operational  planning  priority. 

2.  The  management  of  each  agency  of  the  Commonwealth  is  responsible  for  assessing  its  Year  2000  preparedness  and 
bringing  its  systems  into  compliance,  or  devising  replacement  and  contingency  plans  for  insuring  smooth  operations 
through  the  turn  of  the  century,  and  having  such  assessments  and  plans  committed  to  writing. 

3.  All  purchases  by  Commonwealth  agencies  of  new  software,  systems,  enhancements  or  equipment  shall  be  Year  2000 
compliant. 

4.     New  acquisitions  which  do  not  address  specifically  identified  Year  2000  deficiencies  in  older  systems  should  not  be 
put  forth  as  "Year  2000"  initiatives. 

Agencies  are  directed  to  review  planned  and  ongoing  technology  initiatives  in  light  of  this  directive  and  suspend  all  such 
initiatives  which  detract  from  Year  2000  preparedness  efforts,  other  than  those  specifically  mandated  by  statewide 
directives  or  required  by  law. 

The  Information  Technology  Division,  through  its  Year  2000  Project  Management  Office,  will  continue  to  offer  assistance 
to  agencies  in  their  Year  2000  compliance  efforts.  The  Operational  Services  Division  is  available  to  assist  with  technology 
procurement  matters  related  to  Year  2000  compliance.  Please  feel  free  to  contact  these  agencies. 
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Appendix  7 
GLOSSARY 

Acceptance  Testing 

Testing  performed  on  a  new  or  modified  computer  system  as  a  condition  for  final  implementation  or  purchase  of  the  system.  The  tests 
focus  on  functionality,  data  integrity,  and  internal  system  controls  and  the  applicability  of  the  needs  of  system  users. 

Automated  Systems 

A  series  of  tasks  performed  by  a  computer  as  opposed  to  a  manual  system,  which  is  a  series  of  tasks  performed  by  a  human. 
Awareness 

A  phase  of  a  program  life  cycle.  A  major  drawback  of  the  year  2000  problem  is  the  lack  of  awareness  that  agencies,  departments,  and 
authorities  have  regarding  applications,  business  functions  and  the  relationship  between  a  business  function  and  the  enabling 
applications.  Understanding  the  relationship  between  the  business  function  and  its  enabling  technology  is  the  first  step  enabling  the 
assessment  of  the  risks,  costs,  and  time  requirements  in  addressing  the  year  2000  problem. 

Backward  Compatibility 

Backward  compatibility  refers  to  an  entity's  information  system's  ability  to  read  and  process  data  generated  by  the  system  from  prior 
periods.  Access  may  be  to  four-digit-year-2000-compliant  year  fields,  as  well  as  access  to  and  processing  of  non-compliant  data  with 
two  digit  year  fields. 

Benchmarking 

A  process  of  analyzing  similar  organizations,  or  functions  or  processes  performed  by  other  organizations,  in  order  to  attain  an 
understanding  of  "best  practices"  to  compare  to  one's  own  organization,  or  processes  within. 

Blanket  Contract 

A  blanket  contract  is  one  that  is  placed  at  bid  and  negotiated  by  the  state's  Operational  Services  Division  (OSD).  By  using  the  state's 
bargaining  and  purchasing  power  in  the  development  of  blanket  contracts,  the  best  competitive  price,  terms,  and  conditions  can  be 
obtained  and  made  available  to  all  state  entities. 

Bridge  Program 

A  bridge  program  is  software  written  to  translate  date-related  data  between  compliant  and  noncompliant  application  systems  or  to 
reformat  date-related  data  for  commonality  between  two  or  more  compliant  systems. 

Business  Partners 

Private  firms  or  other  government  entities  with  whom  an  entity  shares  or  obtains  products  or  services  necessary  for  critical  operations. 
Specifically  for  the  year  2000,  the  data  from  these  partners  may  be  imported  into  entity  computer  systems,  thus  impacting  the  entity's 
ability  to  be  year  2000  compliant.  It  also  might  include  business  partner  services  or  products  that  may  not  remain  available  to  the 
entity,  should  the  business  partner  not  be  year  2000  compliant. 

COBOL 

Acronym  for  a  programming  method  known  as  "Common  Business-Oriented  Language"  that  was  developed  by  the  Conference  on  Data 
Systems  and  Languages  for  use  in  business  data  processing  applications. 

Compiler 

Computer  software  that  translates  human-readable  computer  programs  (source  code)  into  executable  code  (a  format  understandable  by 
the  computer  to  process  the  program's  functions.  This  translated  version  cannot  be  read  by  computer  programmers,  thus  it  is  essential 
that  the  versions  of  the  computer  programs,  prior  to  translation,  are  backed-up. 

Date-Sensitive  Fields 

Date-related  data  fields  stored  in  a  computer  file  or  in  a  variable  kept  temporarily  in  computer  memory.  For  example,  a  birth  date  or 
years  of  employee  service  as  calculated  based  on  employee  hire  and  current  dates.  Date  fields  are  sensitive  to  the  year  2000  issue 
because  their  composition  may  have  a  two-digit  year  instead  of  a  four-digit  year.  For  example,  we  may  want  to  enter  a  date  into  a 
computer  system  of  June  16,  2001 .  Currently,  most  computer  systems  are  designed  to  store  the  date  as  06/1 6/01 .  Thus,  the  computer 
cannot  distinguish  whether  the  date  should  be  June  16,  1901  or  June  16,  2001,  causing  a  year  2000  problem. 
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Decompile 

Decompiling  a  program's  object  code  is  the  reverse  process  used  when  compiling  a  sequence  of  source  code.  Because  the  process  may 
be  prone  to  error,  it  should  be  used  only  when  the  original  source  code  is  lost  and  as  a  last  resort.  (See  also  source  and  object  code 
definitions). 

Deliverable 

The  end  result  or  output  of  a  specific  task  or  group  of  related  tasks.   For  example,  payment  checks  to  vendors  are  deliverables  of  the 
accounts  payable  process. 

Documentation 

Reference  material  that  documents  how  a  computer  system  operates  and  describes  each  of  its  components.   It  is  the  primary  means  by 
which  the  knowledge  of  entity  staff  is  recorded,  thereby  becoming  a  permanent  entity  asset.  Documentation  may  describe  computer 
systems  as  a  whole,  how  individual  programs  work,  or  the  purpose  and  valid  values  of  individual  data  fields. 

Entities 

Entities,  as  used  in  this  report,  refers  to  all  state  agencies,  secretariats,  departments,  divisions,  offices,  authorities,  educational 
institutions,  boards,  commissions,  councils,  and  committees.  Entities  may  organizationally  reside  within  the  Executive,  Legislative  or 
Judicial  Branches,  Constitutional  Offices,  or  independent  authorities. 

Evaluation 

A  phase  of  a  program  life  cycle.  It  is  the  entity  or  department  administrators'  responsibility  to  evaluate  their  needs  in  regard  to  the  Year 
2000  project  requirements  and,  if  required,  to  develop  appropriate  standards,  policies,  plans,  and  procedures  to  ensure  the  continuation 
of  operations  beyond  the  end  of  the  century.  A  high-level  risks  and  exposures  assessment,  and  an  evaluation  of  the  criticality  and 
importance  of  each  application  system  should  be  included. 

Examination,  Analysis,  and  Solution  Design 

Phases  of  a  program  life  cycle.   Information  technology,  including  all  critical  and  important  software,  hardware,  firmware,  microcode, 
operating  systems,  application  systems,  job  control  language,  software  compilers,  queries,  procedures,  calls  to  other  programs,  screens, 
databases,  and  data  must  be  examined;  analyzed  for  year  2000  problems;  and  then  a  solution  must  be  designed  to  correct  the  problem. 
Software  products  are  available  to  locate  date  fields  and  to  simulate  what  will  happen  after  December  31,  1999.  An  analysis  of  system 
change  prioritization  and  required  resources  should  also  be  done  at  this  time,  including  additional  staff,  analytical  software,  outside 
assistance,  cost,  and  time-frame  requirements  for  subsequent  phases. 

Failure  Date 

The  date  upon  which  a  system's  functionality  is  anticipated  to  be  impaired  due  to  its  inability  to  correctly  process  dates  beyond  the  year 
2000.  The  failure  date  may  actually  be  before  the  year  2000  for  systems  that  record  future  dates  -  for  example,  a  drivers'  license 
system  may  currently  contain  license  expiration  dates  beyond  the  year  2000. 

Field 

A  data  element  within  a  computer  file.  For  example,  one's  last  name  is  one  field  within  a  record  containing  one's  name,  address,  etc. 
The  inability  of  specific  date-related  fields  to  accommodate  a  four-digit  year  might  cause  the  bulk  of  an  entity's  Year  2000  problems. 

Firmware  (operational  equipment) 

Equipment  used  in  carrying  out  entity  business,  which  contains  imbedded  computer  processors.   Some  of  this  equipment  may  internally 
process  dates,  thus  posing  a  risk  to  the  entity  that  the  equipment  may  not  operate  properly  near  or  after  the  year  2000.  The  types  of 
equipment  include  endless  possibilities  such  as:  hospital  equipment;  internal  telephone  systems;  automobiles;  and  automated  equipment 
such  as  valves,  air  conditioning  controls,  security  systems;  etc. 

Forward  and  Backward  Testing 

Forward  and  backward  testing  is  accomplished  by  first  advancing  the  computer's  internal  clock  to  a  date  beyond  12/31/99,  and  then 
processing  with  dates  solely  in  the  20""  century,  performing  calculations  combining  dates  from  the  20"'  and  21s'  centuries,  then 
processing  with  dates  solely  form  the  20"1  century  other  tests  as  appropriate.  The  system  clock  is  then  reverted  to  today's  date,  and  the 
same,  or  similar,  tests  are  repeated. 


GPS  (Geographical  Positioning  System) 

GPS  is  a  system  of  geosynchronous  satellites  that  can  indicate  the  location  of  an  object  anywhere  on  Earth.  The  system  was  put  in 
place  in  the  first  instance  for  military  use,  but  has  been  adopted  for  many  civilian  purposes. 
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Hardware 

Items  of  computer  equipment  that  comprise  the  physical  machines  on  which  computer  software  operates. 
HVAC 

HVAC  is  an  acronym  for  heating,  ventilation,  and  air  conditioning. 
In-House 

Refers  to  an  organizational  unit  or  function  performed  within  the  organization,  as  opposed  to  third-party  provided,  or  outsourced.  An 
indication  that  a  computer  system  (primarily  computer  software)  was  developed  by  the  entity,  with  little  or  no  assistance  from  outside 
sources. 

Infrastructure 

The  computer  hardware  and  related  equipment  that  comprise  an  entity's  means  of  processing  computer  information.  This  may  include 
computer  networks,  telecommunications  systems,  etc.  It  is  important  to  note  that  this  would  include  the  facilities  of  a  third-party  that 
provides  services  to  an  entity. 

Information  Technology  Division  (ITD) 

A  Division  within  the  Executive  Office  for  Administration  and  Finance.  The  entity  responsible  for  advising  state  leaders,  assisting 
agencies,  and  promoting  efficient  systems  with  respect  to  information  resources  technology. 

Integration  Testing 

System  testing  which  focuses  on  the  integration  of  related  software  modules  and  applications. 
Inventory 

The  identification  of  all  computer  equipment,  equipment  containing  embedded  software,  and  software.  It  is  important  for  entity  or 
department  administrators  to  have  a  complete  and  accurate  inventory  of  their  information  technology  and  systems  prior  to  beginning  an 
evaluation  of  the  dimension  of  their  year  2000  problem.  The  inventory  of  automated  systems  would  identify  the  purpose  of  each 
system  and  its  relationship  (interface)  with  other  entity  business  elements  and  systems.  The  inventory  should  include  descriptive 
information  of  each  system  that  can  be  useful  for  risk-ranking  the  system  for  year  2000  projects.  Such  information  might  include:  the 
presence  of  date-sensitive  fields;  the  size  of  the  system  (in  terms  of  the  number  of  computer  programs,  etc.);  the  business  function 
supported  by  the  system;  and  the  potential  impact  of  system  failure  on  entity  operations  and  clients  served. 

Legal  Assessments 

An  identification  of  possible  sources  of  litigation  should  entity  computer  systems  or  operational  equipment  fail  due  to  an  inability  to 
correctly  process  dates  beyond  the  year  2000.  The  assessment  should  be  based  on  the  Inventory  of  Information  Systems,  along  with  an 
inventory  of  year  2000  susceptible  operational  equipment.  For  example,  the  assessment  might  project  probable  litigation  should  state- 
maintained,  timed  traffic-light  systems  malfunction  due  to  an  inability  to  process  dates  beyond  2000. 

Microcode 

A  technique  for  implementing  the  instruction  set  of  a  processor  as  a  sequence  of  microinstructions,  each  of  which  typically  consists  of  a 
number  of  bit  fields  and  the  address  of  the  next  microinstruction  to  execute.  Each  bit  field  controls  some  specific  part  of  the 
processor's  operation,  such  as  a  gate  that  allows  some  functional  unit  to  drive  a  value  onto  the  bus  or  the  operation  to  be  performed  by 
the  Arithmetic  and  Logic  Unit  of  the  central  processor.  Several  microinstructions  will  usually  be  required  to  fetch,  decode  and  execute 
each  machine  code  instruction  ("macroinstruction").  The  microcode  may  also  be  responsible  for  polling  for  hardware  interrupts 
between  each  macroinstruction. 

Milestones 

A  key  point  in  the  progress  of  a  project,  such  as  a  delivery  date,  deadline,  or  significant  point  of  achievement.  This  may  be  the 
completion  of  a  specific  system  development  phase,  such  as  system  assessment,  design,  computer  programming,  or  testing,  for  example. 

Mission-Critical 

Computer  based  or  dependent  systems  essential  to  providing  key  /  critical  entity  services  or  functions  mandated  by  law.  For  example, 
the  benefits  payment  system  is  essential  for  the  Division  of  Employment  and  Training  to  maintain  the  ability  to  distribute 
unemployment  benefits. 

Modification 

Refers  to  a  change  in  any  component  of  an  information  system,  typically  to  program  code.  It  is  a  phases  in  the  system  development  life 
cycle  for  major  changes  to  automated  systems.  Programming  changes  are  carried  out  by  in-house  and/or  vendor  programmers  and 
others  consistent  with  the  designed  solution.  During  this  phase,  and  subsequently,  management  must  ensure  that  adequate  internal 
control  is  maintained  over  system  and  data  security,  confidentiality,  and  all  program  changes  and  versions. 
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Noncompliance  (year  2000) 

The  state  of  being  unable  to  process  data  and  calculations  because  software  or  firmware  cannot  differentiate  date  fields  as  being  between 
centuries. 

Object  Code 

Object  code  is  the  computer  machine-readable  instructions  that  are  produced  after  "source  code"  is  run  through  a  program  known  as  a 
compiler.  Object  code  represents  computer  instructions  in  a  series  of  zeros  and  ones  (binary  code),  which  can  be  viewed  as  a  series  of 
on  or  off  switches  combined  in  patterns  to  represent  letters  or  symbols. 

Operating  System 

Computer  software  that  controls  the  operation  of  a  central  computer  or  a  personal  computer.   A  computer  cannot  function  without  the 
operating  system  .  On  a  central  computer,  the  operating  system  controls  requests  for  access  to  software  and  program  and  data  files. 
Examples  are  IBM  MVS  for  mainframes,  and  Novell  NetWare  for  local  area  networks. 

Operational  Equipment  (see  firmware) 

Operational  Services  Division  (OSD) 

OSD  is  the  state's  primary  purchasing  agent.  OSD  has  written  standard  contract  clauses  and  warranty  language  regarding  year  2000 
compliance  as  a  standard  requirement  for  doing  business  with  the  Commonwealth. 

Out-sourced 

The  opposite  of  in-house.  An  indication  that  a  computer  system  (primarily  computer  software)  was  developed  by  a  third-party  vendor, 
with  little  or  no  assistance  from  the  entity.  This  could  also  refer  to  a  computer  service  provided  by  a  third-party. 

Platform 

A  platform  is  a  computer,  most  often  a  mainframe  computer,  or  group  of  computers  on  which  an  entity's  applications  operate. 
Production  Environment 

The  term  production  environment  refers  to  the  storage  area  within  the  computer  where  the  set  of  programs  reside  that  actively  operate 
the  data  processing  functions  of  the  entity.  The  production  environment  is  usually  differentiated  from  the  test  environment,  where 
system  modifications  are  tested  before  being  used  in  production  or  actual  operations. 

Regression  Testing 

Regression  testing  is  performed  to  detect  errors  that  may  be  inadvertently  introduced  when  modifications  are  made  to  a  system's 
software. 

Request  for  Response  (RFR) 

A  request  for  response  is  a  document  within  a  bidding  process  whereby  an  entity  advertises,  or  otherwise  makes  it  known,  that  it  is 
interested  in  procuring  goods  and  services  as  described  in  the  RFR  document.  This  is  the  first  step  in  procurement  using  mandated 
public-bidding  procedures,  but  is  frequently  used  when  not  specifically  mandated  as  well. 

Scanning 

An  automated  process  by  which  diagnostic  software  is  used  to  review  entity  computer  programs  for  potential  date  problems  with  respect 
to  the  year  2000. 

Software 

The  instructions,  written  by  computer  programmers,  which  direct  how  a  computer  should  process  information.  It  may  take  the  form  of 
operating  system  or  application  programs. 

Source  Code 

The  software  written  to  automate  entity  business  processes.   Source  code  is  presented  in  the  program  language  used  by  the 
programmers  to  develop  the  system  and  is  thereby  readable  by  humans.  Once  written,  the  source  code  is  translated  (also  called 
compiled)  into  a  form  is  processed  by  the  computer.  Documenting  source  code  is  critical  to  ensuring  that  a  formal  record  exists  of  an 
entity's  business  processes. 

State  Entities  (see  entities) 

Stress  Testing 

Stress  testing  involves  subjecting  a  modified  program  or  application  system  to  a  volume  and  speed  of  input,  processing  and  output  of 
data  that  meets  or  exceeds  those  expected  during  actual  production  operation. 
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System  Testing 

A  phase  of  the  system  development  or  program  life  cycle.  It  is  a  test  of  all  of  the  integrated  components  of  an  information  system. 
Each  complete  system,  including  all  units  and/or  subsystems,  should  be  tested  for  full  operational  year  2000  compliance  as  soon  as 
modifications  are  completed  for  the  entire  system. 

Target  Dates 

Dates  on  which  specific  tasks  must  be  completed  or  events  must  occur,  regardless  of  project  schedule  changes. 
Task  Dependencies 

The  timing  relationship  between  project  tasks  that  determines  the  necessary  sequence  of  events.  For  example,  one  task  must  be 
completed  before  the  next  may  begin. 

Tasks 

A  project  activity  or  event  that  has  a  defined  start,  end,  and  duration.  The  task  produces  a  measurable  result  or  end  product. 
Telecommunications 

The  communications  networks  used  in  conducting  entity  business.  These  systems  may  carry  voice  and/or  computer  data  -  a  distinction 
is  typically  made  between  a  standard  voice  system  and  a  system  dedicated  to  computer  data  transmission.  In  assessing  Year  2000 
problems,  it  is  essential  to  identify  how  telecommunications  systems  interact  with  computer  systems.  The  entity's  internal  phone  system 
should  also  be  reviewed  for  potential  year  2000  problems. 

Triage 

A  process  to  address  situations  in  which  more  tasks  remain  to  be  completed  than  time  and  resources  allow.  Triage  identifies  what  key 
tasks  can  and  cannot  be  performed  within  the  given  parameters. 

Unit  Test 

A  phase  of  a  program  life  cycle.  System  testing  which  focuses  on  functional  and  compliance  testing  of  a  single  application  or  software 
module.  Units  of  application  programs  and/or  subsystems  should  be  tested  for  year  2000  compliance  when  programming 
modifications  for  each  unit  is  completed.  During  unit,  system,  and  integration  testing,  the  test  environments  should  afford  access 
security  controls  appropriate  to  the  systems  and  data  being  tested. 

UTC  (Universal  Time  Coordinated) 

UTC  is  a  base  time  scale  that  can  be  used  as  a  standard  time  measure  anywhere  on  Earth.  It  is  based  on  Greenwich  Mean  Time  (GMT). 
Utilities 

Refers  to  system  software  programs  that  provide  a  wide  array  of  system  functions  and  which  supplement  operating  system  software. 
Variables 

Values  temporarily  stored  in  computer  memory,  as  opposed  to  fields  that  are  normally  values  stored  on  a  disk,  etc.  Variables  are  used 
to  perform  calculations,  etc.,  the  value  of  which  may  change  during  processing.  These  can  cause  year  2000  problems  since,  like  date- 
sensitive  fields,  they  may  not  be  designed  to  correctly  handle  four-digit  years.  They  may  also  be  a  hidden  problem  since  values  may  be 
passed  from  one  variable  to  another  before  finally  being  stored  in  a  field  on  a  disk  file  -  making  it  difficult  to  determine  the  source  of 
inaccurate  dates  within  a  computer  file.  Year  2000  scanning  programs  may  overlook  these  variables  due  to  the  passing  of  values  from 
one  variable  to  the  next,  or  due  to  variable  names  with  are  not  readily  identified  as  date  related. 

Windowing 

Windowing  is  a  method  used  to  avoid  expanding  date  fields  in  noncompliant  program  code.  Using  windowing,  certain  assumptions  are 
made  within  a  translation  program  about  two-digit  year  dates.  For  example,"00"  through  "20"  may  be  assumed  to  be  years  in  the  21  st 
century,  while  "21"  through  "99"  may  be  assumed  to  be  dates  in  the  20th  century. 

Year  2000  Budget  Projections 

A  spending  plan  defining  an  entity's  year  2000  information  technology  projects  and  related  monetary  budgets.  State  agencies  are 
required  to  submit  such  a  plan  to  the  Fiscal  Affairs  Division. 

Year  2000  Compliant 

A  computer  system  (program  code)  or  piece  of  operational  equipment  (containing  a  computer  chip)  which  is  able  to  associate  a  correct 
century  with  a  year.   For  example  the  years  1901  and  2001  will  be  unique,  where  as  a  year  stored  as  01  could  easily  be  interpreted  as 
occurring  in  any  century. 


Massachusetts  Office  of  the  State  Auditor 


99-7055-4Y 


-85- 


Year  2000  Standard  (as  adopted  by  ITD) 

The  standard  date  format  adopted  by  the  Office  of  the  State  Comptroller  and  ITD  for  electronic  data  interchange  purposes.  Acceptable 
date  formats  under  this  standard  include  CCYYMMDD  format. 
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